OneLogin Authentication (SAML)

Ivanti Neurons currently offers the option to choose OneLogin as the external authentication provider for your tenant. OneLogin centralizes the end user log on experience, reduces the occurrence of password related calls to the help desk, and produces granular controls over policies and audit trails.

Configure and Enable External Authentication

  1. In the Ivanti Neurons Platform, navigate to Admin > Authentication.
    The Authentication page appears.

  1. In the External Authentication (SSO) section, click Configure & Enable.
    The Enable External Authentication (SSO) page appears.

  1. From the Provider drop-down, select OneLogin.

  2. From the Sign-In Method drop-down, select Saml 2.0.

    OneLogin SAML 2.0 Configuration Settings appears. It is recommended to leave this tab open for future reference when configuring the details in OneLogin console.

  1. Log in to OneLogin console.

  2. Navigate to Applications > Applications.

  3. Click Add App, to add a new application.
    The Find Applications screen appears.

  1. Select SAML Custom Connector (Advanced).
    The Add SAML Custom Connector (Advanced) screen appears.

  2. Enter the description as required and click Save.

  3. In Configuration, enter the values in the following fields from the Ivanti Neurons tab that was open:

    1. Audience (Entity ID): Entity ID.

    2. Recipient: Assertion Consumer Service URL

    3. ACS (Consumer) URL Validator: Assertion Consumer Service URL

    4. ACS (Consumer) URL: Assertion Consumer Service URL

  4. Click Save.

  5. Navigate to Parameters and update theSAML Custom Connector (Advanced) Field as follows.

    1. Click . Enter the field name as email and select Include in SAML assertion > Save. In the Edit Field email, set the Value to Email > Save.

    2. Click . Enter the field name as family_name and select Include in SAML assertion > Save. In the Edit Field family_name, set the Value to Last Name > Save.

    3. Click . Enter the field name as given_name and select Include in SAML assertion > Save. In the Edit Field given_name, set the Value to First Name > Save.

      Refresh the page if the Value field reflects as No default.

  6. Navigate to SSO > More Actions. Click SAML Metadata.
    The metadata file is downloaded.

  1. Navigate to Enable External Authentication page of Ivanti Neurons Platform that was open and click Select file.

  2. Open the downloaded metadata file and click Upload.

  3. Click Continue to validate the settings.

You must connect with your OneLogin credentials to validate your connection settings.

  1. On the Validate Connection Settings page, click Validate Settings.
    The validation takes place automatically. You will receive a confirmation screen if login is successful.

  2. Return to the Validate Connection Settings page and select the check box to confirm login success.
    OneLogin is now configured, but it is not enabled. To enable, you need to convert your Ivanti Neurons Platform accounts to OneLogin.

  3. Click Continue to proceed to the Convert your Ivanti Neurons platform account page.

  • E2018 Authentication failed: User failed to authenticate with OneLogin. Check that the username and password are correct, and that the user has permissions on the OneLogin Application Registration.

  • E2019 Missing optional claims: Validation step failed because the additional optional claims were not present in the token returned to Ivanti Neurons Platform from OneLogin.

  • E2020 Unable to link to Neurons Platform user account: The OneLogin user login does not match with the Ivanti Neurons Platform user. The Ivanti Neurons Platform user account email address must match the email address used to login into OneLogin.

  1. On the Convert your Ivanti Neurons platform account page, click Sign Out & Enable. Ivanti Neurons is signed-out.

  2. Click Sign in with OneLogin to complete the process.

  3. You can now view OneLogin application in Admin > Authentication with an Enabled status.

  4. Click Sign out from the Neurons platform.
    Now, when you sign back in, you are routed to OneLogin to choose the account and sign in with OneLogin credentials.

Configure Auto Provisioning

Enabling auto provisioning will automatically grant access to Ivanti Neurons for all members within the OneLogin Application Registration without having to go through the manual invite process. When a new member logs in for the first time, a new Ivanti Neurons Platform account will be provisioned in Ivanti Neurons > Members. All new auto-provisioned members will be granted the access control roles defined in the set up.

  1. In Ivanti Neurons Platform navigate to Setup > Authentication.
    The Authentication Method page appears.

  1. In the External Authentication section, click Actions and select Enable auto provisioning.

  1. From the Default roles drop-down, select the access control role that you want to be assigned to all new members.
    To set up Roles, go to Ivanti Neurons > AdminRoles.

  1. Click Enable Auto Provisioning to confirm the role selection and enable auto provisioning for all new members.

Once enabled, you can edit default access control roles and disable auto provisioning. These changes will only apply to members provisioned after the modifications and will not affect existing members.

Enabling auto-provisioning grants all OneLogin Application Registration users access to Ivanti Neurons. You can restrict access to certain users or groups from within the OneLogin Application.

(Optional)Update Metadata (Ivanti Neurons Platform)

  1. In Ivanti Neurons Platform, navigate to Admin > Authentication.
    The Authentication page appears.

  2. In the External Authentication section, click Actions >Update metadata.
    The Update SAML metadata screen appears.

  3. In OneLogin Configuration Settings, click Select file.

  4. Open the downloaded metadata file and click Upload.

  5. Click Continue to validate the settings.

  6. On the Validate New SAML metadata page, click Validate SAML Metadata.

  7. A new tab opens on your organization’s sign-in page. Enter your credentials and sign in.
    The validation takes place automatically. You will receive a confirmation screen if login is successful.

  8. Return to the Validate New SAML metadata page and select the check box to confirm login success.

  9. Click Continue to proceed to the Save New SAML Metadata page.

  10. Click Save changes to complete the process.
    A notification confirming the successful update of metadata is received.

(Optional) Delete Authentication Method (Ivanti Neurons Platform)

  1. In the Ivanti Neurons Platform, navigate to Admin > Authentication.
    The Authentication page appears.

  2. In the External Authentication section, click Actions >Delete authentication method.
    The Delete External Authentication screen appears.

  3. Click Sign Out & Re-authenticate.
    Ivanti Neurons is signed-out.

  4. Click Sign in with email and password.

  5. Enter the credentials and click Sign In.

  6. Navigate to Admin > Authentication > External Authentication, then click Actions >Delete authentication method.
    Delete External Authentication screen appears.

  7. Click Delete Authentication Method.
    The existing authentication method is now deleted.