External Authentication

Leverage your corporate credentials to log in to Neurons Platform by adding an external authentication provider for single sign-on (SSO).

Only one provider can be configured per tenant and the only current available external authentication provider is Azure Active Directory (AD).

To use Azure AD all users must accept the request for Ivanti to access their basic Azure profile data.

Neurons Platform Configure External Authentication

  1. Navigate to Setup > Authentication.
  2. Select Add Provider.
  3. Select Azure AD from the Select a provider drop down list.

The Azure AD Configuration Settings display.

Before you can continue with the configuration you must first carry out some steps in Azure AD.

Azure AD Setup

Step 1 - Create your Azure AD application

  1. Login to Azure AD Admin Center as Office 365 Administrator.

If the person setting up SSO is not an Azure administrator, then an Azure administrator needs to log in to Azure and approve the Apps request for User-Read\Signin permissions.

  1. In the sidebar menu click All Services > App Registrations.
  2. In the App registrations dashboard, click New registration.
  3. Enter an appropriate name for the application, and accept the default supported account types: Accounts in this organizational directory only.
  4. Enter the Redirect URI, as displayed in the Neurons Platform Azure AD Configuration Settings. For example: https://<yourtenantFQDN>/signin-azuread
  5. Click Register at the bottom of the dialog.
  6. An application (client) ID is generated and displayed.

You need to record the application (client) ID and Directory (tenant) ID as it is required for the next stage in the setup.

Step 2 - Configure Authentication Settings

  1. Select Authentication from the App Registration menu.
  2. Navigate to Advanced Settings.
  3. Enter the Logout URL, as displayed in the Neurons Platform Azure AD Configuration Settings. For example: https://<yourtenantFQDN>/signout-azuread
  4. Under Implicit grant section, make sure the ID tokens check box is selected.
  5. Click Save.

Step 3 - Create a Secret

  1. From within the created App navigate to App Registration > Certificates & Secrets.
  2. Create New Client Secret.
  3. Add a description.
  4. Select the expiry duration in-line with your company standards.
  5. Click Add.

A value is created, you must copy it somewhere safe because this is the only time it can be viewed.

Active AD setup is now complete and you can return to Neurons Platform.

The Secret lifetime is finite, so your company should take measures to ensure this is replaced prior to expiry to avoid any outages to Neurons Platform. If the Secret expires you will need to contact Ivanti Support for assistance.

Step 4 - Token Configuration

Set up token configuration so you can use auto provisioning.

  1. Select Token Configuration from the App Registration menu.
  2. Select Add Optional Claim to open the side panel.
  3. For the Token type, select ID.
  4. From the Claims list, select given_name and family_name. This allows the first and last name to be obtained for new Neurons Platform users, which is a requirement when using auto provisioning.
  5. Click Add.

Neurons Platform Azure AD Configuration Settings

Once you have created the Azure AD application (client), directory (tenant), and secret you can continue with the Neurons Platform configuration.

Azure AD Configuration Settings

Complete the connection settings for Azure AD:

  • Directory (Tenant) ID: Directory/tenant Id from Azure AD app registration.
  • Application (Client) ID: Client/application Id from Azure AD app registration.
  • Client Secret: Value generated and saved.

Validate Connection Settings

You need to connect with your Azure AD credentials to validate your connection settings.

  1. Click Validate Configuration to access your organization's sign-in page via a new tab, enter your Azure AD credentials and proceed to sign-in.
    You will receive a confirmation screen if login is successful.
  2. The Azure username must exactly match your Neurons Platform username.

  3. Return to the Neurons Platform tab.
  4. Select the I confirm I have successfully validated my connection settings check box to confirm you have logged in successfully.
  5. Click Save Configuration at the top of the screen.

Validation Troubleshooting

  • E2018 Authentication failed: User failed to authenticate with Azure AD. Check the username and password are incorrect, the user has permissions on the Azure AD Application Registration.
  • E2019 Missing optional claims: Validation step failed because the additional optional claims were not present in the token returned to Neurons Platform from Azure AD.
  • E2020 Unable to link to Neurons Platform user account: The user is not the ‘configurer’, and the Azure AD user login, does not match with the Neurons Platform user. The Neurons Platform user account email address must match the email address used to login into Azure AD.

Convert and Enable

Azure AD is now configured, but it is not enabled.

To enable it you need to convert your local Neurons Platform account to use Azure AD instead.

Click Convert and Enable - request to login with Azure AD credentials and the conversion will be complete.

All users will receive an email to confirm the account has been converted and that they must access the tenant with Azure AD credentials going forward. If the user does not have AD credentials, they will not be able to access Neurons Platform.

Azure Active Directory should now display as 'enabled'.

Configure User Auto Provisioning

Enabling auto provisioning allows users with access to the Neurons Platform App Registration, automatic access to Neurons Platform without having to go through the manual invite process. When a new user logs in for the first time, a new user account will be provisioned in Neurons Platform > Members. All new auto provisioned users will be granted the access control roles defined in the set up.

Enable Auto Provisioning

  1. In Neurons Platform navigate to Setup > Authentication.
  2. Open the Actions drop-down menu. Select Enable Auto Provisioning.
  3. From the Default roles, select the default access control roles that will be assigned to all new users.
  4. Click ENABLE.

Once enabled, an option to edit the default access control roles, and disable user auto provisioning become available. Any roles edits or disabling of auto provisioning will not affect any existing auto provisioned users, it will only apply to those who are provisioned after the changes have been made.

You must configure the Optional Claims from Step 4 - Token Configuration for auto provisioning to work.

Remove External Authentication Provider

Removing the Azure AD External Provider will mean that all users on the tenant will revert back to using the Neurons Platform local login.

Remove Azure AD External Provider

If Azure AD is being used as the external authentication provider then the admin will be logged in to Neurons Platform with their Azure AD credentials and their local login will be disabled. Likewise, all other users will also have converted to use their Azure AD accounts, as part of the removal process the local login details will need to be reinstated.

  1. In Neurons Platform navigate to Setup > Authentication.
  2. Click Actions > Delete.
    The Delete Authentication Provider dialog displays.
  3. Click Enable Local Login & Logout.
    You are unable to remove Azure AD external authentication until the admin has successfully logged in with their Neurons Platform login account. This prevents the admin from locking themselves out. Selecting Enable Local Login & Logout logs the user out of their Azure AD credentials, and enables the local login, so when they sign in again they will have the option to login with their Neurons Platform credentials.
  4. Once logged out, navigate back to the Neurons Platform tenant.
  5. Click Forgot your password? and follow the reset password process.
    During the conversion process to use Azure AD all users local login account passwords are deleted so that the accounts can no longer be used. The admin user has to select Forgot your password to set their password up again. Once they have done this they can log into Neurons Platform with their local login credentials.
  6. Once logged in with the local account, navigate back to Setup > Authentication.
  7. Click Actions > Delete.
    The Delete Authentication Provider dialog displays.
  8. Click Delete to remove the Azure AD External Provider from the tenant.

All other users on the tenant will have to follow the same password reset process to continue using Neurons Platform.