External Authentication

Leverage your corporate credentials to log in to Ivanti Cloud by adding an external authentication provider for single sign-on (SSO).

Only one provider can be configured per tenant and the only current available external authentication provider is Azure Active Directory (AD).

To use Azure AD all users must accept the request for Ivanti to access their basic Azure profile data.

Ivanti Cloud Configure External Authentication

  1. Navigate to Setup > Authentication.
  2. Select Add Provider.
  3. Select Azure AD from the Select a provider drop down list.

The Azure AD Configuration Settings display.

Before you can continue with the configuration you must first carry out some steps in Azure AD.

Azure AD Setup

Step 1 - Create your Azure AD application

  1. Login to Azure AD Admin Center as Office 365 Administrator.

If the person setting up SSO is not an Azure administrator, then an Azure administrator needs to log in to Azure and approve the Apps request for User-Read\Signin permissions.

  1. In the sidebar menu click All Services > App Registrations.
  2. In the App registrations dashboard, click New registration.
  3. Enter an appropriate name for the application, and accept the default supported account types: Accounts in this organizational directory only.
  4. Enter the Redirect URI, as displayed in the Ivanti Cloud Azure AD Configuration Settings. For example: https://<yourtenantFQDN>/signin-azuread
  5. Click Register at the bottom of the dialog.
  6. An application (client) ID is generated and displayed.

You need to record the application (client) ID and Directory (tenant) ID as it is required for the next stage in the setup.

Step 2 - Configure Authentication Settings

  1. Select Authentication from the App Registration menu.
  2. Navigate to Advanced Settings.
  3. Enter the Logout URL, as displayed in the Ivanti Cloud Azure AD Configuration Settings. For example: https://<yourtenantFQDN>/signout-azuread
  4. Under Implicit grant section, make sure the ID tokens check box is selected.
  5. Click Save.

Step 3 - Create a Secret

  1. From within the created App navigate to App Registration > Certificates & Secrets.
  2. Create New Client Secret.
  3. Add a description.
  4. Select the expiry duration in-line with your company standards.
  5. Click Add.

A value is created, you must copy it somewhere safe because this is the only time it can be viewed.

Active AD setup is now complete and you can return to Ivanti Cloud.

The Secret lifetime is finite, so your company should take measures to ensure this is replaced prior to expiry to avoid any outages to Ivanti Cloud. If the Secret expires you will need to contact Ivanti Support for assistance.

Ivanti Cloud Azure AD Configuration Settings

Once you have created the Azure AD application (client), directory (tenant), and secret you can continue with the Ivanti Cloud configuration.

Azure AD Configuration Settings

Complete the connection settings for Azure AD:

  • Directory (Tenant) ID: Directory/tenant Id from Azure AD app registration.
  • Application (Client) ID: Client/application Id from Azure AD app registration.
  • Client Secret: Value generated and saved.

Validate Connection Settings

You need to connect with your Azure AD credentials to validate your connection settings.

  1. Click Validate Configuration to access your organization's sign-in page via a new tab, enter your Azure AD credentials and proceed to sign-in.
    You will receive a confirmation screen if login is successful.
  2. The Azure username must exactly match your Ivanti Cloud username.

  3. Return to the Ivanti Cloud tab.
  4. Select the I confirm I have successfully validated my connection settings check box to confirm you have logged in successfully.
  5. Click Save Configuration at the top of the screen.

Convert and Enable

Azure AD is now configured, but it is not enabled.

To enable it you need to convert your local Ivanti Cloud account to use Azure AD instead.

Click Convert and Enable - request to login with Azure AD credentials and the conversion will be complete.

All users will receive an email to confirm the account has been converted and that they must access the tenant with Azure AD credentials going forward. If the user does not have AD credentials, they will not be able to access Ivanti Cloud.

Azure Active Directory should now display as 'enabled'.

Remove External Authentication Provider

Removing the Azure AD External Provider will mean that all users on the tenant will revert back to using the Ivanti Cloud local login.

Remove Azure AD External Provider

If Azure AD is being used as the external authentication provider then the admin will be logged in to Ivanti Cloud with their Azure AD credentials and their local login will be disabled. Likewise, all other users will also have converted to use their Azure AD accounts, as part of the removal process the local login details will need to be reinstated.

  1. In Ivanti Cloud navigate to Setup > Authentication.
  2. Click Actions > Delete.
    The Delete Authentication Provider dialog displays.
  3. Click Enable Local Login & Logout.
    You are unable to remove Azure AD external authentication until the admin has successfully logged in with their Ivanti Cloud login account. This prevents the admin from locking themselves out. Selecting Enable Local Login & Logout logs the user out of their Azure AD credentials, and enables the local login, so when they sign in again they will have the option to login with their Ivanti Cloud credentials.
  4. Once logged out, navigate back to the Ivanti Cloud tenant.
  5. Click Forgot your password? and follow the reset password process.
    During the conversion process to use Azure AD all users local login account passwords are deleted so that the accounts can no longer be used. The admin user has to select Forgot your password to set their password up again. Once they have done this they can log into Ivanti Cloud with their local login credentials.
  6. Once logged in with the local account, navigate back to Setup > Authentication.
  7. Click Actions > Delete.
    The Delete Authentication Provider dialog displays.
  8. Click Delete to remove the Azure AD External Provider from the tenant.

All other users on the tenant will have to follow the same password reset process to continue using Ivanti Cloud.