PingFederate - OIDC Protocol

Ivanti Neurons currently offers the option of selecting PingFederate as the external authentication provider for your tenant. PingFederate centralizes the end user log on experience, reduces the occurrence of password related calls to the help desk, and produces granular controls over policies and audit trails.

Configure & Enable External Authentication

  1. In the Ivanti Neurons Platform, navigate to Admin > Authentication.
    The Authentication page appears.

  2. In the External Authentication (SSO) section, click Configure & Enable.
    The Enable External Authentication (SSO) page appears.

  3. From the Provider drop-down, select PingFederate.

  4. From the Sign-In Method drop-down, select OpenId Connect (OIDC).

    PingFederateConfiguration Settings appears. It is recommended to leave this tab open for future reference when configuring the details in PingFederateAdmin console.

  1. Log in to the PingFederate Admin console.

  2. From Applications, select OAuth.

  3. Click Add Client.

  4. In Client, update the client configuration and policy information as follows:

    1. CLIENT ID: Enter a unique client ID of your choice. Copy this client ID and paste it in the Client ID field on the Ivanti Neurons tab that was open.

    2. NAME: Same as CLIENT ID.

    3. CLIENT AUTHENTICATION: Select CLIENT SECRET.

    4. CLIENT SECRET: Select CHANGE SECRET and click Generate Secret.

    5. Copy the CLIENT SECRET value and paste it in the Client secret value field on the Ivanti Neurons tab that was open.

    6. REDIRECT URIS: Copy the Redirect Uri from the Neurons Platform and paste it in the Redirection URIs field in the PingFederate Admin portal.

    7. Click Add.

    8. ALLOWED GRANT TYPES: Select Authorization Code and Implicit.

    9. DEFAULT ACCESS TOKEN MANAGER: Select IvantiTestToken.

    10. OPENID CONNECT: Copy the Signoff Uri from the Neurons Platform and paste it in the Post-Logout Redirect URIs field on the PingFederate Admin portal and click Add.

    11. Click Save.

  5. In SYSTEM, select Server > Protocol Settings > Federation Info, copy the BASE URL and paste it in the Issuer field on the Ivanti Neurons tab that was open.

  6. Click Continue on the Ivanti Neurons tab to validate the settings.

You must connect with your PingFederate credentials to validate your connection settings.

  1. On the Validate Connection Settings page, click Validate Settings. A new tab opens on your organization’s sign-in page. Enter your PingFederate credentials and click Sign On.

  2. On the Request for Approval page, ensure the following are selected:

    • ACCESS TO YOUR USERNAME

    • OPENID SCOPE

    • PROFILE SCOPE

    • EMAIL SCOPE

  3. Click Allow.

  4. Return to the Validate Connection Settings page and select the check box to confirm login success.
    PingFederate is now configured, but it is not enabled. To enable, you need to convert your Ivanti Neurons Platform accounts to PingFederate.

  5. Click Continue to proceed to the Convert your Ivanti Neurons platform account page.

  • E2018 Authentication failed: User failed to authenticate with PingFederate. Check that the username and password are correct, and that the user has permissions on the PingFederate SP Connection.

  • E2019 Missing optional claims: Validation step failed because the additional optional claims were not present in the token returned to Ivanti Neurons Platform from PingFederate.

  • E2020 Unable to link to Neurons Platform user account: The PingFederate user login, does not match with the Ivanti Neurons Platform user. The Ivanti Neurons Platform user account email address must match the email address used to login into PingFederate.

  1. On the Convert your Ivanti Neurons platform account page, click Sign Out & Enable. Ivanti Neurons is signed-out.

  2. Click Sign in with PingFederate and enter your PingFederate credentials to complete the process.

  3. You can now view PingFederate application in Admin > Authentication with an Enabled status.    

  4. Click Sign out from the Neurons platform.
    Now, when you sign back in, you are routed to     PingFederate to choose the account and sign in with PingFederate credentials.

Ensure that Contract Fulfillment field in Applications > OAuth > Access Token Mappings > IdP Adapter: PingOneIdpAdapter > Access Token Mapping includes email, given_name, and family_name user attributes.

Configure Auto Provisioning

Enabling auto provisioning will automatically grant access to Ivanti Neurons for all members within the PingFederate Application Registration without having to go through the manual invite process. When a new member logs in for the first time, a new Ivanti Neurons Platform account will be provisioned in Ivanti Neurons > Members. All new auto-provisioned members will be granted the access control roles defined in the set up.

  1. In Ivanti Neurons Platform navigate to Setup > Authentication.
    The Authentication Method page appears.

  1. In the External Authentication (SSO) section, click Actions and select Enable auto provisioning.

  1. From the Default roles drop-down, select the access control role that you want to be assigned to all new members.
    To set up Roles, go to Ivanti Neurons > AdminRoles.

  1. Click Enable Auto Provisioning to confirm the role selection and enable auto provisioning for all new members.

Once enabled, you can edit default access control roles and disable auto provisioning. These changes will only apply to members provisioned after the modifications and will not affect existing members.

Enabling auto-provisioning grants all PingFederate Application Registration users access to Ivanti Neurons. You can restrict access to certain users or groups from within the PingFederate Application.

(Optional) Update Client Secret (Ivanti Neurons Platform)

If the PingFederate client secret is due to expire, you need to set a new one to continue using this authentication method.

  1. In Ivanti Neurons Platform navigate to Setup Authentication.
    The Authentication page appears.

  2. In the External Authentication section, click Actions > Update client secret.
    The     Update Client Secret page appears.

  3. Enter the new Client secret obtained from the PingFederate application and paste in the Client secret value field of the In Ivanti Neurons Platform.

  4. Click Continue to validate the Client secret.

  5. On the Validate New Client Secret page, click Validate Client Secret. A new tab opens on your organization’s sign-in page.

  6. Enter your PingFederate credentials and click Sign On.

  7. On the Request for Approval page, ensure the following are selected:

    1. ACCESS TO YOUR USERNAME

    2. OPENID SCOPE

    3. PROFILE SCOPE

    4. EMAIL SCOPE

  8. Click Allow.

    If successful, return to this wizard and continue to update the client secret.
    If unsuccessful, verify that the new client secret entered is correct. For other failure reasons see Validation Troubleshooting.

  9. Return to the Validate New Client Secret page and select the check box to confirm login success.

  10. Click Continue to proceed to the Save New Client Secret page.

  11. Click Save changes to complete the process.
    A notification confirming the successful update of client secret is received.

(Optional) Delete Authentication Method (Ivanti Neurons Platform)

  1. In the Ivanti Neurons Platform, navigate to Admin > Authentication.
    The Authentication page appears.

  2. In the External Authentication section, click Actions > Delete authentication method.
    The Delete External Authentication screen appears.

  3. Click Sign Out & Re-authenticate.
    Ivanti Neurons is signed-out.

  4. Click Sign in with email and password.

  5. Enter the credentials and click Sign In.

  6. Navigate to Admin > Authentication > External Authentication, then click Actions > Delete authentication method.
    Delete External Authentication screen appears.

  7. Click Delete Authentication Method.
    The existing authentication method is now deleted.