Service Manager powered by HEAT

Working with Single Sign-On Authentication

•About Single Sign-On Authentication

•Service Manager powered by HEAT

•Configuration Method

•Setting Up Authentication for OpenID Connect with Google

•Setting Up Authentication for OpenID Connect with Microsoft Azure

•Service Manager powered by HEAT

About Single Sign-On Authentication

The goal of federated single sign-on authentication is to enable users to maintain secure access across a range of external systems and web applications. Ivanti Service Manager supports the use of various protocols that help organizations accomplish this goal. Through the use of ADFS (Microsoft Active Directory Federation Services) and SAML (Security Assertion Markup Language), Ivanti Service Manager customers can use their existing Windows Integrated Security credentials to sign on to their Ivanti Service Manager tenant without having to enter a new password.

Single sign-on authentication was originally designed to handle identity management within a network domain or other closed system, allowing users to log in once to get into their system and carry those credentials through to other systems within their environment. However, with Ivanti Service Manager, single sign-on authentication has become more difficult to manage as users typically access many systems and applications that cross different companies and domains.

Many companies have designed proprietary protocols to meet the challenge of web browser single sign-on, leading to interoperability between providers. There must be trust established between the principal (user), the identity provider (initial authentication source), and the service provider (web application).

Open source security protocols seek to exchange authorization and authentication between security domains, such as an identity provider (that is, the customer domain) and the service provider (that is, Ivanti Service Manager). At the request of the user, credentials are passed to the application. This type of protocol is not concerned with how the user was authenticated initially.

ADFS is a claims-based identity tool, using Active Directory Domain Services to authenticate the user and issue a token that contains identity information. Federation servers located within both security domains exchange tokens without storing any user names or passwords. The user has to only enter their user name and access is granted without direct authentication to the system.

SAML uses an identity provider and a service provider to grant access to an application through a web browser. The identity provider in this case is ADFS running on the domain of the customer.