Entra ID Authentication (SAML)

1. In Ivanti Neurons Platform navigate to Admin > Authentication.
   The Authentication page appears.
2. In the External Authentication (SSO) section, click Configure & Enable.
   The Enable External Authentication page appears.
3. From the Provider drop-down select Entra ID.
4. From the Sign-In Method drop-down, select SAML
   The Entra ID Configuration Settings appear. You will need these when setting up Entra ID so keep this tab open in your browser. This is referenced by either "Neurons" or "Neurons tab" in the following instructions.

Before you can continue with the Ivanti Neurons configuration you must first carry out some steps in Microsoft Azure Portal.

In a new browser tab, go to your Entra ID tenant:

1. Go to Enterprise Applications

2. Select New Application

3. Select Create your own application.

   1. Enter a name.

   2. Select the option: "Integrate any other application you don't find in the gallery (non-gallery)".

   3. Click Create, wait for Entra ID to finish.

Open the newly created application:

1. Go to Single Sign-on

2. Select SAML.

See Step 4 to provide the details given by Neurons, the UEM Tenant, and establish the connection between Entra ID and Neurons.

Information needs to be copied between Ivanti Neurons Platform and Entra ID to establish a secure handshake. Have both the tabs we have been working in available and switch between them based on the following instructions.

In EntraID, select Edit in the Basic SAML Configuration tile. A window will appear on the right.

• EntityID in Neurons will be copied to Identifier in Entra ID. Click Add Identifier to reveal the text box in the Entra ID > Edit window.

• Assertion Consumer Service URL in Neurons will be copied to Reply URL in Entra ID. Again, click Add reply URL to reveal the text box.

• Click Save.

When a text box to test appears, select the decline option as all of the entries will be validated together.

This sets up the application.

Under SAML Certificates in the Entra ID Tenant, an App Federation Metadata URL is provided. Copy and switch to Neruons, then paste into:

• Identity Provider (IDP) Metadata Endpoint URL

• Click Continue.

The secure handshake is set up.

Define how Users are Added to Entra ID

Return to Entra ID. In the menu on the left, under Properties, do the following to define how users are added:

• Verify Assignment Required is set to your needs:

  • Yes: the Admin chooses which users of the tenant can login. If assignment is required, the Admin will have to explicitly select the users who can sign in. This is accomplished under Users and Groups > Add User Name.

  • No: any user in the Tenant can login using Entra ID.

• Click Save.

Return to Neurons.

You need to connect with your Entra ID credentials to validate your connection settings.

1. On the Validate Connection Settings page, click Validate Settings to access your organization's sign-in page via a new tab. This is the Azure Portal. Enter your Entra ID credentials and proceed to sign-in. If you are already signed in, credentials are not required and the validation takes place automatically, so make sure you are signed in to the account you want to authenticate.
   You will receive a confirmation screen if login is successful.

The Azure username must exactly match your Ivanti Neurons username.


2. Close the confirmation screen and return to the tab Validate Connection Settings in Ivanti Neurons Platform, where you have been working.
3. Select the check box for I confirm I have successfully validated my connection settings to confirm you have logged in successfully.
4. Click Continue.

The secure handshake is established, validated, and working.

Validation Troubleshooting

• E2018 Authentication failed: User failed to authenticate with Entra ID. Check the username and password are correct and that the user has permissions on the Entra ID Application Registration.
• E2019 Missing optional claims: Validation step failed because the additional optional claims were not present in the token returned to Ivanti Neurons Platform from Entra ID.
• E2020 Unable to link to Neurons Platform user account: The Entra ID user login, does not match with the Ivanti Neurons Platform user. The Ivanti Neurons Platform user account email address must match the email address used to login into Entra ID.

Entra ID is now configured, but it is not enabled.

To enable, you need to convert your Ivanti Neurons Platform accounts to use Entra ID instead.

1. On the Enable Ivanti Neurons Platform accounts page, click Sign Out & Enable.
   The Ivanti Neurons Sign In page appears.
2. Select to Sign In with Entra ID and enter your Entra ID credentials, the conversion will then be complete.
   To verify, login in Neurons, go to Admin > Authentication, and see that Entra ID is the external authentication provider.
   

The same user must configure Entra ID authentication and Sign in and validate the credentials in Ivanti Neurons, to avoid an Access Denied error.

All members will receive an email to confirm the account has been converted and that they must access the tenant with Entra ID credentials going forward. If the member does not have Entra ID credentials, they will not be able to access Ivanti Neurons.

External Authentication (SSO) will now display with an Enabled status.

1. In Ivanti Neurons Platform navigate to Setup > Authentication.
   
   The Authentication Method page appears.
2. In the External Authentication (SSO) section, click Actions and select Enable auto provisioning.
3. From the Default roles drop-down, select the access control role that you want to be assigned to all new members.
   
   To setup Roles go to Ivanti Neurons > Admin> Roles.
4. Click Enable Auto Provisioning to confirm the role selection and enable auto provisioning for all new members.