Okta Authentication

Ivanti Neurons currently offer the option of selecting Okta as the external authentication provider for your tenant. This is a good choice if you want to centralize the end user log on experience, reduce the occurrence of password related calls to the help desk, and have granular controls over policies and audit trails.

Configure & Enable External Authentication

  1. In Ivanti Neurons Platform navigate to Admin > Authentication.
    The Authentication page appears.
  2. In the External Authentication (SSO) section, click Configure & Enable.
    The Enable External Authentication (SSO) page appears.
  3. From the Provider drop-down list select Okta.
    The Okta Configuration Settings appear.

Before you can continue with the Ivanti Neurons configuration you must first carry out some steps in Okta.

Before you can continue with the Ivanti Neurons configuration you must first carry out the following steps in Okta.

  1. Login to Okta.
  2. In the sidebar menu select Applications > Applications.
    The Applications dashboard appears.
  3. Select Browse App Catalog.
    The Browse App Integration Catalog appears.
  4. Search for, and select Ivanti Neurons.
  5. Select Add Integration.
    The Add Ivanti Neurons page appears.
  6. The Application label by default is Ivanti Neurons, change if required. Select Done.
    The Assignment page appears.
  7. The Assignments page allows you to specify who can access the Ivanti Neurons application, you can allow access to individuals or groups.
    Select Assign to People or Assign to Groups.

    Remember to assign it to the person setting up the integration, they will need permissions to be able access the application.

  8. Search for, and select, the people or group you want to assign the app to.
  9. Select Assign.
  10. Once you have assigned to all required people or group, select Done.
  11. Select the Sign On tab.
  12. Select Edit.
  13. In Base URL paste the url copied from the Ivanti Neurons platform > Authentication page.
  14. Select Save. The integration is created.
  15. A Client ID and Client Secret are generated and displayed.

    16. You need to record the Domain, Client ID and Client Secret ready to use in the next step of the setup in the Ivanti Neurons Platform.

Only SP-initiated SSO is supported.

  1. Login to Okta as an Admin.
  2. Expand the Applications drop-down, click Applications.
  3. Click Browse App Catalog.
  4. Search for Bookmark App, select it from the list of results, and click Add.
  5. Enter an Application label, which will be the display name. For example, Ivanti Neurons <Company Name> Neurons tenant.
  6. Copy the URL to directly link into the URL field. This should be the URL for the Neurons tenant you are attempting to connect to.
  7. Click Save.
  8. Assign users to test.

Okta setup is now complete and you can return to Ivanti Neurons Platform to continue setup.

Once you have created the Okta application you can continue with the Ivanti Neurons Platform configuration.

  1. Return to the Okta Configuration Settings page (Ivanti Neurons Platform > Authentication > External Authentication (SSO) > Configure and Enable.
  2. Enter the Okta Domain from the user profile drop-down in the top-right of the Okta app integration.
  3. Leave the Auth Server ID blank. You only need to specify the tenant details if you are using a custom authorization server. For further details refer to Okta App setup - Custom authorization server.
  4. Enter the Client ID that was generated and saved from the Okta app integration.
  5. Enter the Client secret value, that was generated and saved from the Okta app integration.
  6. Select Continue to display the Validate Connection Settings page.

You need to connect with your Okta credentials to validate your connection settings.

  1. On the Validate Connection Settings page, click Validate Settings to access your organization's sign-in page via a new tab, enter your Okta credentials and proceed to sign-in. If you are already signed in credentials are not required and the validation takes place automatically, so make sure you are signed in to the account you want to authenticate.
    You will receive a confirmation screen if login is successful.

    2. The Okta username must exactly match your Ivanti Neurons username.

  2. Return to this tab (Validate Connection Settings).
  3. Select the check box I confirm I have successfully validated my connection settings to confirm you have logged in successfully.
  4. Click Continue to move on to convert Ivanti Neurons Platform accounts. The Enable Ivanti Neurons Platform accounts page displays.
  • E2018 Authentication failed: User failed to authenticate with Okta. Check the username and password are correct and that the user has permissions on the Okta Application Registration.
  • E2020 Unable to link to Neurons Platform user account: The Okta user login, does not match with the Ivanti Neurons Platform user. The Ivanti Neurons Platform user account email address must match the email address used to login into Okta.

Okta is now configured, but it is not enabled.

To enable, you need to convert your Ivanti Neurons Platform accounts to use Okta instead.

  1. On the Enable Ivanti Neurons Platform accounts page, click Sign Out & Enable.
    The Ivanti Neurons Sign In page appears.
  2. Select to Sign In with Okta and enter your Okta credentials, the conversion will then be complete.
    All members will receive an email to confirm the account has been converted and that they must access the tenant with Okta credentials going forward. If the member does not have Okta credentials, they will not be able to access Ivanti Neurons.

External Authentication (SSO) will now display with an Enabled status.

  1. Login to Okta.
  2. In the sidebar menu select Applications > Applications.
    The Applications dashboard appears.
  3. Select Create App Integration.
    The Create a new app integration page appears.
  4. Select the Sign-in method OIDC - OpenID Connect.
  5. Select the Application type Web Application.
  6. Click Next.
    The New Web App Integration page appears.
  7. Give the application a name in App integration name.
  8. For the grant type select Implicit (hybrid).
  9. Enter the Sign-in redirect URI; append the base url (as displayed in the Ivanti Neurons Platform Okta Configuration Settings) with /signin-okta.
  10. Enter the Sign-out redirect URI; append the base url (as displayed in the Ivanti Neurons Platform Okta Configuration Settings) with /signout-okta.
  11. In Assignments select the level of control you want over access.
  12. Select Save. The application is created.
  13. A Client ID and Client Secret are generated and displayed.

    14. You need to record the Domain, Client ID and Client Secret ready to use in the next step of the setup in the Ivanti Neurons Platform.

Okta setup is now complete and you can return to Ivanti Neurons Platform.

Configure Auto Provisioning

Enabling auto provisioning will automatically grant access to Ivanti Neurons for all members within the Okta Application without having to go through the manual invite process. When a new member logs in for the first time, a new Ivanti Neurons Platform account will be provisioned in Ivanti Neurons > Members. All new auto provisioned members will be granted the access control roles defined in the set up.

  1. In Ivanti Neurons Platform navigate to Setup > Authentication.
    The Authentication Method page appears.
  2. In the External Authentication (SSO) section, click Actions and select Enable auto provisioning.
  3. From the Default roles drop-down, select the access control role that you want to be assigned to all new members.
    To setup Roles go to Ivanti Neurons > Admin > Roles.
  4. Click Enable Auto Provisioning to confirm the role selection and enable auto provisioning for all new members.

Once enabled, the options: Edit the default access control roles, and Disable auto provisioning, become available. Any roles edits, or disabling, of auto provisioning will not affect any existing auto provisioned members, it will only apply to those who are provisioned after the changes have been made.

Once auto-provisioning has been enabled, everyone who has access to the Okta Application will have access to Ivanti Neurons. You can restrict access to certain users or groups from within the Okta Application. Refer to the Okta documentation for further details.

Update Client Secret

If you want to update the Okta client secret, you need to set a new one to continue using this authentication method.

  1. In Ivanti Neurons Platform navigate to Setup > Authentication.
  2. Click Actions and select Update client secret.
    The Update Client Secret page appears.
  3. Enter the new client secret from your Okta application.
  4. Click Continue.
    The Validate Client Secret page appears.
  5. Click Validate Client Secret, this opens your Okta sign in page.
    Enter your username and password, this will be the same as the sign-in credentials for the Ivanti Neurons Platform. When you sign-in the new client secret is validated. If successful, return to this wizard and continue to update the client secret. If it is unsuccessful, go back and check if the new client secret you entered is accurate. For other failure reasons see Validation Troubleshooting.
  6. Once you have successfully validated the new client secret, select the confirmation check box I confirm I have successfully validated my new client secret and click Continue.
  7. Click Save Changes to complete the process. This updates the client secret with immediate effect, you are not required to do anything further.