Other IdP Authentication (SAML)

Ivanti Neurons offers the option to choose other IdP (Identity Provider) as the external authentication provider for your tenant. In addition to the existing authentication methods, you can use other IdP authentications as a single sign-on (SSO) system that enables users to securely access applications and resources across different domains with a single login using security tokens. This streamlines user experience, improves security by reducing password reuse, and simplifies identity management for organizations.

Other IdP authentication only supports the SAML based sign-in method.

Configure and Enable External Authentication

  1. In the Ivanti Neurons Platform, navigate to Admin > Authentication.

    The Authentication page appears.

  2. In the External Authentication (SSO) section, click Configure & Enable.

    The Enable External Authentication (SSO) page appears.

  3. From the Provider drop-down, select Other IdP.

    The Other IdP SAML 2.0 Configuration Settings appears. It is recommended to leave this tab open for future reference when configuring details in the identity provider console.

  4. On the Other IdP SAML 2.0 Configuration Settings section, you can select the following options:

    • Enable Signed requests: Enable this option to send digitally signed requests to an external authentication provider and configure the provider to validate whether the signed requests are from the Ivanti Neurons tenant. Alternatively, you can disable this option to stop sending signed requests.

    • Enable Encrypted assertions: Enable this option to receive encrypted user information from the external authentication provider, and you can configure the Neurons tenant to decrypt the information. Alternatively, you can disable this option to stop receiving encrypted user information.

  5. Click Apply Changes.
    Once you apply the changes, you can download the identity information, such as service provider metadata and certificate, for a SAML-based SSO system as given below:

    • Download SP metadata: Click this option to download the service provider metadata along with the certificate in XML format.

    • Download certificate only: Click this option to download only the certificate (in .pem format).

  1. Log in to the IdP provider console.

  2. Create a new SAML-based configuration that will enable you to integrate the SSO system with Ivanti Neurons.

  3. Where required, enter the service provider details such as Entity ID and Assertion Consumer Service URL. You can find this information on the SSO configuration page of Ivanti Neurons.

    For more information about downloading the certificate, refer to the steps under the Configure and Enable External Authentication (Ivanti Neurons Platform) section.

  4. Then, upload the certificate that you downloaded from Ivanti Neurons (in .cer format) in the relevant section in the IdP provider console to enable Signed Requests and/or Encrypted Assertions. The same certificate should be used for both Signed Requests and Encrypted Assertions.

  5. Download the SAML metadata file (in XML format) from the identity provider portal.

To upload the downloaded metadata file from the identity provider, follow these steps:

  2. Return to Ivanti Neurons.

  3. In the Other IdP SAML 2.0 Configuration Settings section, click Select file.

  4. Browse the downloaded SAML metadata file (in XML format), and click Upload.

  5. Then, click Continue to proceed.

You must connect with your IdP to validate your connection settings.

  1. On the Validate Connection Settings page, click Validate Settings.

    The validation takes place automatically. You will receive a confirmation screen if login is successful.

    Ensure that the Enable Signed Requests and/or Encrypted Assertions option enabled in the IdP console matches the Neurons tenant. If the enabled options do not match, the validation will fail.

  2. Return to the Validate Connection Settings page and select the check box to confirm login.

    The IdP is now configured.

  3. Click Continue to proceed to the Convert your Ivanti Neurons platform account page.

Other IdP is now configured, but it is not enabled.

To enable, you need to convert your Ivanti Neurons Platform accounts to use Other IdP instead.

  1. On the Enable Ivanti Neurons Platform accounts page, click Sign Out & Enable.
    The Ivanti Neurons Sign In page appears.
  2. Select the Sign In with Other IdP and enter your IdP credentials, the conversion will then be complete.
    To verify, login in Neurons, go to Admin > Authentication, and see that Other IdP is the external authentication provider.

    3. The same user must configure Other IdP authentication and sign in and validate the credentials in Ivanti Neurons, to avoid an Access Denied error.

All members will receive an email to confirm the account has been converted and that they must access the tenant with Other IdP credentials going forward. If the member does not have Other IdP credentials, they will not be able to access Ivanti Neurons.

External Authentication (SSO) will now display with an Enabled status.

Configure Auto Provisioning

Enabling auto provisioning will automatically grant access to Ivanti Neurons for all members within the Other IdP without having to go through the manual invite process. When a new member logs in for the first time, a new Ivanti Neurons Platform account will be provisioned in Ivanti Neurons > Members. All new auto-provisioned members will be granted the access control roles defined in the set up.

  1. In Ivanti Neurons Platform navigate to Setup > Authentication.

    The Authentication Method page appears.

  2. In the External Authentication section, click Actions and select Enable auto provisioning.

  3. From the Default roles drop-down, select the access control role that you want to be assigned to all new members.

    To set up Roles, go to Ivanti Neurons > Admin> Roles.

  4. Click Enable Auto Provisioning to confirm the role selection and enable auto provisioning for all new members.

Once enabled, you can edit default access control roles and disable auto provisioning. These changes will only apply to members provisioned after the modifications and will not affect existing members.

(Optional) Update IdP Metadata (Ivanti Neurons Platform)

  1. In Ivanti Neurons Platform, navigate to Admin > Authentication.
    The Authentication page appears.

  2. In the External Authentication section, click Actions >Update IdP metadata.
    The Update SAML metadata screen appears.

  3. In Other IdP Configuration Settings, click Select file.

  4. Open the downloaded metadata file and click Upload.

  5. Click Continue to validate the settings.

  6. On the Validate New SAML metadata page, click Validate SAML Metadata.

  7. A new tab opens on your organization’s sign-in page. Enter your credentials and sign in.
    The validation takes place automatically. You will receive a confirmation screen if login is successful.

  8. Return to the Validate New SAML metadata page and select the check box to confirm login success.

  9. Click Continue to proceed to the Save New SAML Metadata page.

  10. Click Save changes to complete the process.
    A notification confirming the successful update of metadata is received.

(Optional) Update Provider Settings (Ivanti Neurons Platform)

  1. In Ivanti Neurons Platform, navigate to Admin > Authentication.

    The Authentication page appears.

  2. In the External Authentication section, click Actions > Update provider setting.

    The Update SAML provider page appears.

  3. In Other IdP Configuration Settings, you can select the following:

    • Enable Signed requests: Enable this option to send a digitally signed requests to an external authentication provider and configure the provider to validate whether the signed requests are from Ivanti Neurons tenant. Alternatively, you can disable this option to stop sending signed requests.

    • Enable Encrypted assertions: Enable this option to receive an encrypted user information from the external authentication provider and you can configure the Neurons tenant to decrypt the information. Alternatively, you can disable this option to stop receiving encrypted user information.

  4. Click Apply Changes.

    Now, you can download the updated service provider metadata file and certificate based on your requirements.

  5. Click Continue to validate the metadata.

  6. On the Validate SAML Provider Setting page, click Validate Setting.

  7. A new tab opens on your organization’s sign-in page. Enter your credentials and sign in.

    The validation takes place automatically. You will receive a confirmation screen if login is successful.

  8. Return to the Validate New Provider Setting page and select the check box to confirm login success.

  9. Click Continue to proceed.

  10. Click Save changes to complete the process.

    A notification confirming the successful update is received.

(Optional) Update Certificate (Ivanti Neurons Platform)

You can use this option to update the expired certificate or when a certificate is about to expire.

The renew function is intended to be used during low usage hours. Once Neurons renews the certificate, it begins using it immediately. This will cause failed authentication events at the Identity Provider until the IdP is updated to expect the new certificate. Please plan accordingly and ensure that coordinated changes occur in your IdP software.

  1. In Ivanti Neurons Platform, navigate to Admin > Authentication.
    The Authentication page appears.

  2. In the External Authentication section, click Actions >Update certificate.
    The Update Certificate screen appears.

  3. Click Continue.
    The Update tab appears.

  4. On the Update tab, you can download the service provider metadata and certificate.

    Once you have downloaded the encrypted certificate, ensure that the new certificate is uploaded to the identity provider console before validating.

  5. Click Continue to go to the Validate New Certificate page.

  6. Click Validate Certificate.
    The validation takes place automatically. You will receive a confirmation screen if login is successful.

  7. Return to the Validate Connection Settings page and select the check box to confirm login.

  8. Click Continue.
    The Save New Certificate page appears.

  9. Click Save Changes.

(Optional) Download SP Metadata or Certificate (Ivanti Neurons Platform)

If the external authentication setup for other IdP has to be redone due to issues or errors, it will require either the certificate or the SP metadata. These can be downloaded from the actions drop-down from Ivanti Neurons, as below:

  1. In the Ivanti Neurons Platform, navigate to Admin > Authentication.

    The Authentication page appears.

  2. In the External Authentication (SSO) section, click Actions. From the drop-down, you can click the following:

    • Download SP metadata: Click this option to download the service provider metadata along with the certificate in XML format.

    • Download certificate only: Click this option to download only the certificate (in .pem format).

    The SP metadata file would have the last saved version of provider configuration settings, and the certificate would be the last active certificate.

(Optional) Delete Authentication Method (Ivanti Neurons Platform)

  1. In the Ivanti Neurons Platform, navigate to Admin > Authentication.

    The Authentication page appears.

  2. In the External Authentication (SSO) section, click Actions > Delete authentication method.

    The Delete External Authentication screen appears.

  3. Click Sign Out & Re-authenticate.

    Ivanti Neurons is signed-out.

  4. Click Sign in with email and password.

  5. Enter the credentials and click Sign In.

  6. Navigate to Admin > Authentication > External Authentication, then click Actions > Delete authentication method.

    The Delete External Authentication screen appears.

  7. Click Delete Authentication Method.

    The existing authentication method is now deleted.