External Authentication (SSO)

External Authentication (SSO) enables you to leverage your corporate credentials to have a single sign-on to the Ivanti Neurons platform. Utilizing your existing external authentication provider offers enhanced control over account security and policies, and alignment with other applications in use, such as Office 365, which makes for a more consistent user experience.

Ivanti Neurons currently offer the option of selecting Azure AD as the external authentication provider for your tenant. This is a good choice if you want to centralize the end user log on experience, reduce the occurrence of password related calls to the help desk, and have granular controls over policies and audit trails.

To use Azure AD all members must accept the request for Ivanti to access their basic Azure profile data.

Configure External Authentication

  1. From your Ivanti Neurons Welcome email, click the link to create a password.
  2. Once on the Ivanti Neurons password page, create a password, sign in and click through to accept the EULA.
  3. Now sign in with your username and password, you are now given the option to configure and enable an advanced authentication method. Select Yes, Do It Now to continue.
    Alternatively, you can opt for No, Do It Later. You can set it up anytime by going to the Ivanti Neurons Admin> Authentication menu option.
  4. On the Authentication page, in the External Authentication (SSO) section, click Configure & Enable.
  5. On the Enable External Authenticator (SSO) page, select Azure AD from the Provider drop-down list.
    The Azure AD Configuration Settings display.

Before you can continue with the configuration you must first carry out some steps in Azure AD.

Once you have created the Azure AD application (client), directory (tenant), and secret you can continue with the Ivanti Neurons platform configuration.

Azure AD Configuration Settings

Complete the connection settings for Azure AD:

  1. Directory (Tenant) ID: Directory/tenant Id from Azure AD app registration.
  2. Application (Client) ID: Client/application Id from Azure AD app registration.
  3. Client Secret: Value generated and saved.
  4. Click Continue to move on to validate the connection settings.

Validate Connection Settings

You need to connect with your Azure AD credentials to validate your connection settings.

  1. Click Validate Settings to access your organization's sign-in page via a new tab, enter your Azure AD credentials and proceed to sign-in.
    You will receive a confirmation screen if login is successful.
  2. The Azure username must exactly match your Ivanti Neurons username.

  3. Return to this tab (Validate Connection Settings).
  4. Select the checkbox I confirm I have successfully validated my connection settings to confirm you have logged in successfully.
  5. Click Continue to move on to convert Ivanti Neurons platform accounts.

Convert Ivanti Neurons platform accounts

Azure AD is now configured, but it is not enabled.

To enable it you need to convert your Ivanti Neurons platform accounts to use Azure AD instead.

  1. Click Enable & Sign Out the Ivanti Neurons Sign In page displays.
  2. Select to Sign In with Azure AD and enter your Azure AD credentials, the conversion will then be complete.

All members will receive an email to confirm the account has been converted and that they must access the tenant with Azure AD credentials going forward. If the member does not have AD credentials, they will not be able to access Ivanti Neurons.

External Authentication (SSO) will now display with an Enabled status.

Configure Auto Provisioning

Enabling auto provisioning will automatically grant access to Ivanti Neurons for all members within the Azure AD App Registration without having to go through the manual invite process. When a new member logs in for the first time, a new Ivanti Neurons platform account will be provisioned in Ivanti Neurons > Members. All new auto provisioned members will be granted the access control roles defined in the set up.

Enable Auto Provisioning

  1. In Ivanti Neurons platform navigate to Setup > Authentication to display the Authentication Method page.
  2. In the External Authentication (SSO) section, click Actions and select Enable auto provisioning.
  3. From the Default roles drop-down list, select the access control role that you want to be assigned to all new members.
    To setup Roles go to Ivanti Neurons > Admin > Roles.
  4. Click Enable Auto Provisioning to confirm the role selection and enable auto provisioning for all new members.

Once enabled, an option to edit the default access control roles, and disable auto provisioning become available. Any roles edits or disabling of auto provisioning will not affect any existing auto provisioned members, it will only apply to those who are provisioned after the changes have been made.

You must configure the Optional Claims from Step 4 - Token Configuration for auto provisioning to work.

Delete External Authentication Provider

Deleting the Azure AD External Provider will mean that all members on the tenant will revert back to using their Ivanti Neurons platform account username and password.

Delete Azure AD External Provider

If Azure AD is being used as the external authentication provider then the admin will be logged in to Ivanti Neurons with their Azure AD credentials and their Ivanti Neurons platform account will be disabled. Likewise, all other members will also have converted to use their Azure AD accounts, as part of the removal process their Ivanti Neurons platform account will need to be reinstated.

  1. In Ivanti Neurons platform navigate to Setup > Authentication.
  2. Click Actions and select Delete authentication method.
    The Delete External Authentication (SSO) dialog displays.
  3. Click Sign Out & Re-authenticate.
    You are unable to remove Azure AD external authentication until the admin has successfully logged in with their Ivanti Neurons platform account. This prevents the admin from locking themselves out. Selecting Sign Out & Re-authenticate logs the member out of their Azure AD account, and enables their Ivanti Neurons platform account, so when they sign in again they will have the option to login with their Ivanti Neurons platform credentials.
  4. Once logged out, navigate back to the Ivanti Neurons sign in page.
  5. Click Forgot your password? and follow the reset password process.
    During the conversion process to use Azure AD all passwords for Ivanti Neurons platform accounts were deleted so that the accounts can no longer be used. The admin has to select Forgot your password to set their password up again. Once they have done this they can log into Ivanti Neurons with their Ivanti Neurons login credentials.
  6. Once logged in with the Ivanti Neurons account, navigate back to Setup > Authentication.
  7. Click Actions and select Delete authentication method.
    The Delete External Authentication (SSO) dialog displays.
  8. Click Delete Authentication Method to remove the Azure AD External Provider from the tenant.

All other members on the tenant will have to follow the same password reset process to continue using Ivanti Neurons.

Related Topics

Ivanti Neurons Authentication

Ivanti Neurons Multi-Factor Authentication (MFA)