PingFederate Authentication (SAML)
Ivanti Neurons currently offers the option of selecting PingFederate as the external authentication provider for your tenant. PingFederate centralizes the end user log on experience, reduces the occurrence of password related calls to the help desk, and produces granular controls over policies and audit trails.
Configure & Enable External Authentication
 Step 1 - Configure and Enable External Authentication (Ivanti Neurons Platform)
Step 1 - Configure and Enable External Authentication (Ivanti Neurons Platform)
                                            - 
                                                        In the Ivanti Neurons Platform, navigate to Admin > Authentication. 
 The Authentication page appears.
- 
                                                        In the External Authentication (SSO) section, click Configure & Enable. 
 The Enable External Authentication (SSO) page appears.
- 
                                                        From the Provider drop-down, select PingFederate. 
- 
                                                        From the Sign-In Method drop-down, select Saml 2.0. PingFederateSAML 2.0 Configuration Settings appears. 
 It is recommended to leave this tab open for future reference when configuring the details in PingFederate Admin console.
 Step 2 - PingFederate Application Setup (PingFederate Admin console)
Step 2 - PingFederate Application Setup (PingFederate Admin console)
                                            - 
                                                        Log in to the PingFederate Admin console. 
- 
                                                        From Applications, select SPConnections. 
- 
                                                        Click Create Connection. 
- 
                                                        In Connection Template, select DO NOT USE A TEMPLATE FOR THIS CONNECTION and click Next. 
- 
                                                        In Connection Type, select BROWSER SSO PROFILES since this setup requires browser access. 
- 
                                                        From PROTOCOL drop-down, select SAML 2.0 and click Next. 
- 
                                                        In Connection Options, select BROWSER SSO and click Next. 
- 
                                                        In Import Metadata, select None and click Next. 
- 
                                                        In General Info, enter the following details available in the Ivanti Neurons tab that was open: - 
                                                                PARTNER’S ENTITY ID (CONNECTION ID): Unique connection identifier (Entity ID). 
- 
                                                                CONNECTION NAME: Language identifier for this connection. 
 
- 
                                                                
- 
                                                        (Optional) Specify multiple virtual server IDs, using the Base URL for simplified partner endpoint configurations and click Next. 
- 
                                                        In Browser SSO, click Configure Browser SSO to set up or edit the configuration for secure browser-based SSO to the partner’s resources. - 
                                                                In SAML Profiles, select SP-Initiated SSO to specify the types of messages exchanged between the Identity Provider and Service Provider, as well as the transport methods (bindings), and click Next. 
- 
                                                                In Assertion Lifetime, set the validity time frame before and after issuance for assertion to the SP, and click Next. 
- 
                                                                In Assertion Creation, click Configure Assertion Creation to set up SAML assertions for SSO access to your SP partner's site. 
- 
                                                                    In Identity Mapping, select Standard and click Next. 
- 
                                                                    In Attribute Contract, select SAML_SUBJECT and update the Extend the Contract fields with the following set of required user attributes that the server will send in the assertion: - 
                                                                            email 
- 
                                                                            given_name 
- 
                                                                            family_name 
 
- 
                                                                            
- 
                                                                    Click Next. 
- 
                                                                    In Authentication Source Mapping, click Map New Adapter Instance. - 
                                                                            In Adapter Instance, select PingOneIdpAdapter, and click Next. 
- 
                                                                            In Mapping Method, select USE ONLY THE ADAPTER CONTRACT VALUES IN THE SAML ASSERTION and click Next. 
- 
                                                                            In Attribute Contract Fulfillment, update the Attribute Contract as follows: - 
                                                                                    SAML_SUBJECT: Source - Adapter, Value - username 
- 
                                                                                    email: Source - Adapter, Value - email 
- 
                                                                                    family_name: Source - Adapter, Value - name.family 
- 
                                                                                    given_name: Source - Adapter, Value - name.given 
 
- 
                                                                                    
- 
                                                                            Click Next. 
- 
                                                                            In Issuance Criteria, update or leave the fields blank as required and click Next. 
- 
                                                                            Review the details in Summary and click Done. 
 
- 
                                                                            
- 
                                                                    In Authentication Source Mapping, click Next. 
- 
                                                                    Review the details in Summary and click Done. 
- 
                                                                In Assertion Creation, click Next. 
- 
                                                                In Protocol Settings, click Configure Protocol Settings to set up SAML assertions for SSO access to your SP partner's site. 
- 
                                                                    In Assertion Consumer Service URL, copy the Assertion Customer Service URL from the Neurons Platform and paste it in the Endpoint URL field on the PingFederate Admin portal. 
- 
                                                                    Select POST from the Binding drop-down and click Add > Next. 
- 
                                                                    In Allowable SAML Bindings, select POST and click Next. 
- 
                                                                    In Signature Policy, select SIGN RESPONSE AS REQUIRED selected and click Next. 
- 
                                                                    In Encryption Policy, select NONE and click Next. 
- 
                                                                    Review the details in Summary and click Done. 
- 
                                                                In Protocol Settings, click Next. 
- 
                                                                Review the details in Summary and click Done. 
 
- 
                                                                
- 
                                                        In Browser SSO, click Next. 
- 
                                                        In Credentials, click Configure Credentials to set up Digital Signature settings. - 
                                                                Select a certificate from SIGNING CERTIFICATE drop-down. 
- 
                                                                Retain the field values of SECONDARY SIGNING CERTIFICATE and SIGNING ALGORITHM and click Next. 
- 
                                                                Review the details in Summary and click Save. 
 
- 
                                                                
- 
                                                        In Credentials, click Next. 
- 
                                                        Review the details in Activation & Summary and click Done. The SP Connections page displays. 
- 
                                                        Click Select Action under Actions against the new connection configured > Export Metadata. 
- 
                                                        In Metadata Signing, select a certificate from SIGNING CERTIFICATE drop-down. 
- 
                                                        Select an algorithm from the SIGNING ALGORITHM drop-down and click Next. 
- 
                                                        Select Export. The metadata file is downloaded. 
- 
                                                        Navigate to Enable External Authentication page of Ivanti Neurons Platform that was open and click Select file. 
- 
                                                        Open the downloaded metadata file and click Upload. 
- 
                                                        Click Continue to validate the settings. 
 Step 3 - Validate Connection Settings (Ivanti Neurons Platform)
Step 3 - Validate Connection Settings (Ivanti Neurons Platform)
                                            You must connect with your PingFederate credentials to validate your connection settings.
- 
                                                        On the Validate Connection Settings page, click Validate Settings. A new tab opens on your organization’s sign-in page. Enter your PingFederate credentials and sign in. 
- 
                                                        Return to the Validate Connection Settings page and select the check box to confirm login success. 
 PingFederate is now configured, but it is not enabled. To enable, you need to convert your Ivanti Neurons Platform accounts to PingFederate.
- 
                                                        Click Continue to proceed to the Convert your Ivanti Neurons platform account page. 
 Validation Troubleshooting
Validation Troubleshooting
                                            - 
                                                        E2018 Authentication failed: User failed to authenticate with PingFederate. Check that the username and password are correct, and that the user has permissions on the PingFederate SP Connection. 
- 
                                                        E2019 Missing optional claims: Validation step failed because the additional optional claims were not present in the token returned to Ivanti Neurons Platform from PingFederate. 
- 
                                                        E2020 Unable to link to Neurons Platform user account: The PingFederate user login, does not match with the Ivanti Neurons Platform user. The Ivanti Neurons Platform user account email address must match the email address used to login into PingFederate. 
 Step 4 - Enable Ivanti Neurons Platform accounts (Ivanti Neurons Platform)
Step 4 - Enable Ivanti Neurons Platform accounts (Ivanti Neurons Platform)
                                            - 
                                                        On the Convert your Ivanti Neurons platform account page, click Sign Out & Enable. Ivanti Neurons is signed-out. 
- 
                                                        Click Sign in with PingFederate and enter your PingFederate credentials to complete the process. 
- 
                                                        You can now view PingFederate application in Admin > Authentication with an Enabled status. 
- 
                                                        Click Sign out from the Neurons platform. 
 Now, when you sign back in, you are routed to PingFederate to choose the account and sign in with PingFederate credentials.
Configure Auto Provisioning
Enabling auto provisioning will automatically grant access to Ivanti Neurons for all members within the PingFederate SP Connection without having to go through the manual invite process. When a new member logs in for the first time, a new Ivanti Neurons Platform account will be provisioned in Ivanti Neurons > Members. All new auto-provisioned members will be granted the access control roles defined in the set up.
 Enable Auto Provisioning
Enable Auto Provisioning
                                            - 
                                                        In Ivanti Neurons Platform navigate to Setup > Authentication. 
 The Authentication Method page appears.
- 
                                                        In the External Authentication (SSO) section, click Actions and select Enable auto provisioning. 
- 
                                                        From the Default roles drop-down, select the access control role that you want to be assigned to all new members. 
 To set up Roles, go to Ivanti Neurons > Admin> Roles.
- 
                                                        Click Enable Auto Provisioning to confirm the role selection and enable auto provisioning for all new members. 
Once enabled, you can edit default access control roles and disable auto provisioning. These changes will only apply to members provisioned after the modifications and will not affect existing members.
Enabling auto-provisioning grants all PingFederate Application Registration users access to Ivanti Neurons. You can restrict access to certain users or groups from within the PingFederate Application.
(Optional)Update Metadata (Ivanti Neurons Platform)
- 
                                                In Ivanti Neurons Platform, navigate to Admin > Authentication. 
 The Authentication page appears.
- 
                                                In the External Authentication section, click Actions > Update metadata. 
 The Update SAML metadata screen appears.
- 
                                                In PingFederate Configuration Settings, click Select file. 
- 
                                                Open the downloaded metadata file and click Upload. 
- 
                                                Click Continue to validate the settings. 
- 
                                                On the Validate New SAML metadata page, click Validate SAML Metadata. 
- 
                                                A new tab opens on your organization’s sign-in page. Enter your credentials and sign in. 
 The validation takes place automatically. You will receive a confirmation screen if login is successful.
- 
                                                Return to the Validate New SAML metadata page and select the check box to confirm login success. 
- 
                                                Click Continue to proceed to the Save New SAML Metadata page. 
- 
                                                Click Save changes to complete the process. 
 A notification confirming the successful update of metadata is received.
(Optional) Delete Authentication Method (Ivanti Neurons Platform)
- 
                                                In the Ivanti Neurons Platform, navigate to Admin > Authentication. 
 The Authentication page appears.
- 
                                                In the External Authentication section, click Actions > Delete authentication method. 
 The Delete External Authenticationscreen appears.
- 
                                                Click Sign Out & Re-authenticate. 
 Ivanti Neurons is signed-out.
- 
                                                Click Sign in with email and password. 
- 
                                                Enter the credentials and click Sign In. 
- 
                                                Navigate to Admin > Authentication > External Authentication, then click Actions > Delete authentication method. 
 Delete External Authentication screen appears.
- 
                                                Click Delete Authentication Method. 
 The existing authentication method is now deleted.