Okta Authentication (SAML)

Ivanti Neurons currently offer the option of selecting Okta as the external authentication provider for your tenant. This is a good choice if you want to centralize the end user log on experience, reduce the occurrence of password related calls to the help desk, and have granular controls over policies and audit trails.

Configure & Enable External Authentication

  1. In Ivanti Neurons Platform navigate to Admin > Authentication.
    The Authentication page appears.
  2. In the External Authentication (SSO) section, click Configure & Enable.
    The Enable External Authentication (SSO) page appears.
  3. From the Provider drop-down list select Okta.
    The Okta Configuration Settings appear.
  4. From the Sign-In Method drop-down, select SAML.
    The Entra ID Configuration Settings appear.

Before you can continue with the Ivanti Neurons configuration you must first carry out some steps in Okta.

Before you can continue with the Ivanti Neurons configuration you must first carry out the following steps in Okta.

  1. Login to Okta.
  2. In the sidebar menu select Applications > Applications.
    The Applications dashboard appears.
  3. Select Browse App Catalog.
    The Browse App Integration Catalog appears.
  4. Search for, and select Ivanti Neurons.
  5. Select Add Integration.
    The Add Ivanti Neurons page appears.
  6. The Application label by default is Ivanti Neurons, change if required. Select Done.
    The Assignment page appears.
  7. The Assignments page allows you to specify who can access the Ivanti Neurons application, you can allow access to individuals or groups.
    Select Assign to People or Assign to Groups.

    Remember to assign it to the person setting up the integration, they will need permissions to be able access the application.

  8. Search for, and select, the people or group you want to assign the app to.
  9. Select Assign.
  10. Once you have assigned to all required people or group, select Done.
  11. Select the Sign On tab.
  12. Select Edit.
  13. In Base URL paste the url copied from the Ivanti Neurons platform > Authentication page.
  14. Select Save. The integration is created.
  15. A Client ID and Client Secret are generated and displayed.

    16. You need to record the Domain, Client ID and Client Secret ready to use in the next step of the setup in the Ivanti Neurons Platform.

Only SP-initiated SSO is supported.

  1. Login to Okta as an Admin.
  2. Expand the Applications drop-down, click Applications.
  3. Click Browse App Catalog.
  4. Search for Bookmark App, select it from the list of results, and click Add.
  5. Enter an Application label, which will be the display name. For example, Ivanti Neurons <Company Name> Neurons tenant.
  6. Copy the URL to directly link into the URL field. This should be the URL for the Neurons tenant you are attempting to connect to.
  7. Click Save.
  8. Assign users to test.

Okta setup is now complete and you can return to Ivanti Neurons Platform to continue setup.

Step 4 - Okta Configuration Settings (Ivanti Neurons Platform)

Once you have created the Okta application you can continue with the Ivanti Neurons Platform configuration.

  1. Return to the Okta Configuration Settings page (Ivanti Neurons Platform > Authentication > External Authentication (SSO) > Configure and Enable.
  2. Enter the Okta Domain from the user profile drop-down in the top-right of the Okta app integration.
  3. Leave the Auth Server ID blank. You only need to specify the tenant details if you are using a custom authorization server. For further details refer to Okta App setup - Custom authorization server.
  4. Enter the Client ID that was generated and saved from the Okta app integration.
  5. Enter the Client secret value, that was generated and saved from the Okta app integration.
  6. Select Continue to display the Validate Connection Settings page.

You need to connect with your Okta credentials to validate your connection settings.

  1. On the Validate Connection Settings page, click Validate Settings to access your organization's sign-in page via a new tab, enter your Okta credentials and proceed to sign-in. If you are already signed in credentials are not required and the validation takes place automatically, so make sure you are signed in to the account you want to authenticate.
    You will receive a confirmation screen if login is successful.

    2. The Okta username must exactly match your Ivanti Neurons username.

  2. Return to this tab (Validate Connection Settings).
  3. Select the check box I confirm I have successfully validated my connection settings to confirm you have logged in successfully.
  4. Click Continue to move on to convert Ivanti Neurons Platform accounts. The Enable Ivanti Neurons Platform accounts page displays.
  • E2018 Authentication failed: User failed to authenticate with Okta. Check the username and password are correct and that the user has permissions on the Okta Application Registration.
  • E2020 Unable to link to Neurons Platform user account: The Okta user login, does not match with the Ivanti Neurons Platform user. The Ivanti Neurons Platform user account email address must match the email address used to login into Okta.

Okta is now configured, but it is not enabled.

To enable, you need to convert your Ivanti Neurons Platform accounts to use Okta instead.

  1. On the Enable Ivanti Neurons Platform accounts page, click Sign Out & Enable.
    The Ivanti Neurons Sign In page appears.
  2. Select to Sign In with Okta and enter your Okta credentials, the conversion will then be complete.
    All members will receive an email to confirm the account has been converted and that they must access the tenant with Okta credentials going forward. If the member does not have Okta credentials, they will not be able to access Ivanti Neurons.

External Authentication (SSO) will now display with an Enabled status.

Configure Auto Provisioning

Enabling auto provisioning will automatically grant access to Ivanti Neurons for all members within the Okta Application without having to go through the manual invite process. When a new member logs in for the first time, a new Ivanti Neurons Platform account will be provisioned in Ivanti Neurons > Members. All new auto provisioned members will be granted the access control roles defined in the set up.

  1. In Ivanti Neurons Platform navigate to Setup > Authentication.
    The Authentication Method page appears.
  2. In the External Authentication (SSO) section, click Actions and select Enable auto provisioning.
  3. From the Default roles drop-down, select the access control role that you want to be assigned to all new members.
    To setup Roles go to Ivanti Neurons > Admin > Roles.
  4. Click Enable Auto Provisioning to confirm the role selection and enable auto provisioning for all new members.

Once enabled, the options: Edit the default access control roles, and Disable auto provisioning, become available. Any roles edits, or disabling, of auto provisioning will not affect any existing auto provisioned members, it will only apply to those who are provisioned after the changes have been made.

Once auto-provisioning has been enabled, everyone who has access to the Okta Application will have access to Ivanti Neurons. You can restrict access to certain users or groups from within the Okta Application. Refer to the Okta documentation for further details.