Ivanti Neurons currently offer the option of selecting PingOne as the external authentication provider for your tenant. This is a good choice if you want to centralize the end user log on experience, reduce the occurrence of password related calls to the help desk, and have granular controls over policies and audit trails.
Configure & Enable External Authentication
- In Ivanti Neurons Platform navigate to Admin > Authentication.
- On the Authentication page, in the External Authentication (SSO) section, click Configure & Enable.
- On the Enable External Authentication (SSO) page, from the Provider drop-down list select PingOne.
The PingOne Configuration Settings will now display.
Before you can continue with the Ivanti Neurons configuration you must first carry out some steps in the PingOne admin console.
Before you can continue with the Ivanti Neurons configuration you must first carry out the following steps in the PingOne admin console.
- Login to the PingOne admin console.
- From My Environments > Administrators, select Connections from the sidebar menu.
- From the Connections menu, select to Applications.
- From the Applications page, select the + icon next to Applications, to add a new application.
- In the New Application page, enter an Application Name e.g. Ivanti Neurons.
- In the Applications Type section, select Native.
- Select Save. The New Application page displays.
- On the New Application page, select the Configuration tab.
- Select Edit.
- In Redirect URI paste the URI copied from the Ivanti Neurons platform > Authentication page.
- Set the Token Endpoint Authentication Method to Client Secret Post.
- In the Signoff URL paste the URL copied from the Ivanti Neurons platform > Authentication page.
- Select Save.
- Select the Resources tab.
- Select Edit.
- Add two new scopes; Email scope and Profile scope.
- Select Save.
- Set the new application toggle to Enable so that users have access to the application.
- Once enabled, select the Configuration tab, all of the paths have been generated. You need to copy the following paths to input into Ivanti Neurons platform External Authentication Configuration:
- Client ID (expand General section for this)
- Client Secret (expand General section for this)
You need to record or copy the Issuer, Client ID and Client Secret ready to use in the next step of the setup in the Ivanti Neurons Platform.
PingOne setup is now complete and you can return to Ivanti Neurons Platform to continue setup.
Once you have created the PingOne application you can continue with the Ivanti Neurons Platform configuration.
Return to the PingOne Configuration Settings page (Ivanti Neurons Platform > Authentication > External Authentication (SSO) > Configure and Enable.
- Enter the Issuer path, that was generated and copied/saved from PingOne.
- Enter the Client ID, that was generated and copied/saved from PingOne.
- Enter the Client secret value, that was generated and copied/saved from PingOne.
- Select Continue to display the Validate Connection Settings page.
You need to connect with your PingOne credentials to validate your connection settings.
- On the Validate Connection Settings page, click Validate Settings to access your organization's sign-in page via a new tab, enter your PingOne credentials and proceed to sign-in. If you are already signed in credentials are not required and the validation takes place automatically, so make sure you are signed in to the account you want to authenticate.
You will receive a confirmation screen if login is successful.
- Return to this tab (Validate Connection Settings).
- Select the check box I confirm I have successfully validated my connection settings to confirm you have logged in successfully.
- Click Continue to move on to convert Ivanti Neurons Platform accounts. The Enable Ivanti Neurons Platform accounts page displays.
The PingOne username must exactly match your Ivanti Neurons username.
- E2018 Authentication failed: User failed to authenticate with PingOne. Check the username and password are correct and that the user has permissions on PingOne.
- E2020 Unable to link to Neurons Platform user account: The PingOne user login, does not match with the Ivanti Neurons Platform user. The Ivanti Neurons Platform user account email address must match the email address used to login into PingOne.
PingOne is now configured, but it is not enabled.
To enable, you need to convert your Ivanti Neurons Platform accounts to use PingOne instead.
- On the Enable Ivanti Neurons Platform accounts page, click Sign Out & Enable the Ivanti Neurons Sign In page displays.
- On the Ivanti Neurons Sign In page, select to Sign In with PingOne and enter your PingOne credentials, the conversion will then be complete.
All members will receive an email to confirm the account has been converted and that they must access the tenant with PingOne credentials going forward. If the member does not have PingOne credentials, they will not be able to access Ivanti Neurons.
External Authentication (SSO) will now display with an Enabled status.
Configure Auto Provisioning
Enabling auto provisioning will automatically grant access to Ivanti Neurons for all members within the PingOne Application without having to go through the manual invite process. When a new member logs in for the first time, a new Ivanti Neurons Platform account will be provisioned in Ivanti Neurons > Members. All new auto provisioned members will be granted the access control roles defined in the set up.
- In Ivanti Neurons Platform navigate to Setup > Authentication to display the Authentication Method page.
- In the External Authentication (SSO) section, click Actions and select Enable auto provisioning.
- From the Default roles drop-down list, select the access control role that you want to be assigned to all new members.
To setup Roles go to Ivanti Neurons > Admin > Roles.
- Click Enable Auto Provisioning to confirm the role selection and enable auto provisioning for all new members.
Once enabled, the options: Edit the default access control roles, and Disable auto provisioning, become available. Any roles edits, or disabling, of auto provisioning will not affect any existing auto provisioned members, it will only apply to those who are provisioned after the changes have been made.
Important: Once auto-provisioning has been enabled, everyone who has access to the PingOne Application will have access to Ivanti Neurons. You can restrict access to certain users or groups from within the PingOne Application. Refer to the PingOne documentation for further details.
If you want to update the PingOne client secret, you need to set a new one to continue using this authentication method.
- In Ivanti Neurons Platform navigate to Setup > Authentication.
Click Actions and select Update client secret.
The Update Client Secret page displays.
- Enter the new client secret from your PingOne application.
The Validate Client Secret page displays.
- Click Validate Client Secret, this opens your PingOne sign in page.
Enter your username and password, this will be the same as the sign-in credentials for the Ivanti Neurons Platform. When you sign-in the new client secret is validated. If successful, return to this wizard and continue to update the client secret. If it is unsuccessful, go back and check if the new client secret you entered is accurate. For other failure reasons see Validation Troubleshooting.
- Once you have successfully validated the new client secret, select the confirmation check box I confirm I have successfully validated my new client secret and click Continue.
- Click Save Changes to complete the process. This updates the client secret with immediate effect, you are not required to do anything further.