Okta Authentication (SAML)

Ivanti Neurons currently offers the option to choose Okta as the external authentication provider for your tenant. Okta centralizes the end user log on experience, reduces the occurrence of password related calls to the help desk, and produces granular controls over policies and audit trails.

Configure & Enable External Authentication

  1. In Ivanti Neurons Platform navigate to Admin > Authentication.
    The Authentication page appears.
  2. In the External Authentication (SSO) section, click Configure & Enable.
    The Enable External Authentication (SSO) page appears.
  3. From the Provider drop-down list select Okta.
  4. From the Sign-In Method drop-down, select Saml 2.0.
    Okta Saml 2.0 Configuration Settings appears. It is recommended to leave this tab open for future reference when configuring the details in Okta console.
  1. Log in to Okta.
  2. Select Applications > Applications > Create App Integration.
    The Create a new app integration screen appears.
  3. Select SAML 2.0 and click Next.
    The Create SAML Integration page appears.
  4. In General Settings, enter the App name and click Next.
  5. In Configure SAML, enter the values in the following fields:

      1.  In General, enter the values available in the Ivanti Neurons tab that was open:

        1. Single sign-on URL: Assertion Consumer Service URL.

        2. Audience URI (SP Entity ID): EntityId.

      1. In Attribute Statements (optional), update the attributes as follows:

        1. Name: 'email', Value: 'user.email'. Click Add Another.

        2. Name: 'given_name', Value: 'user.firstName'. Click Add Another.

        3. Name: 'family_name', Value: 'user.lastName'.

          The data in the above fields is case-sensitive.

      1. Click Next.

  6. In Feedback, select the check box ‘This is an internal app that we have created’ and click Finish.

    7. Administrators can opt out of selecting the checkbox and instead provide details in the comment boxes.

  7. Click Assignments > Assign > Assign to People.
  8. Select your name and click Assign > Save and Go BackDone.

    9. The Assignments page allows you to specify who can access the Ivanti Neurons application. You can grant access to individuals or groups.

    Remember to assign it to the person setting up the integration, as they will need permissions to access the application.

  9. Select Sign On tab, copy the Metadata URL, and paste it into the Identity Provider Metadata Endpoint URL field in the Neurons Platform that was open.

  10. Click Continue.

You must connect with your Okta credentials to validate your connection settings.

  1. On the Validate Connection Settings page, click Validate Settings.

    The validation takes place automatically. You will receive a confirmation screen if login is successful.

  2. Return to the Validate Connection Settings page and select the check box to confirm login success.

    Okta is now configured, but it is not enabled. To enable, you need to convert your Ivanti Neurons Platform accounts to Okta.

  3. Click Continue to proceed to the Convert your Ivanti Neurons platform accountpage.

  • E2018 Authentication failed: User failed to authenticate with Okta. Check that the
    username and password are correct, and that the user has permission on the Okta Application Registration.

  • E2019 Missing optional claims: Validation step failed because the additional optional claims were not present in the token returned to Ivanti Neurons Platform from Okta.

  • E2020 Unable to link to Neurons Platform user account: The Okta user login does not match with the Ivanti Neurons Platform user. The Ivanti Neurons Platform user account email address must match the email address used to login into Okta.

  1. On the Convert your Ivanti Neurons platform account page, click Sign Out & Enable. Ivanti Neurons is signed-out.

  2. Click click here > Sign in with Okta to complete the process.

  3. You can now view Okta application in Admin > Authentication with an Enabled status.

  4. Click Signout from the Neurons platform.
    Now, when you sign back in, you are routed to Okta to choose the account and sign in with Okta credentials.

Configure Auto Provisioning

Enabling auto provisioning will automatically grant access to Ivanti Neurons for all members within the Okta Application without having to go through the manual invite process. When a new member logs in for the first time, a new Ivanti Neurons Platform account will be provisioned in Ivanti Neurons > Members. All new auto provisioned members will be granted the access control roles defined in the set up.

  1. In Ivanti Neurons Platform navigate to Setup > Authentication.
    The Authentication Method page appears.
  2. In the External Authentication (SSO) section, click Actions and select Enable auto provisioning.
  3. From the Default roles drop-down, select the access control role that you want to be assigned to all new members.
    To setup Roles go to Ivanti Neurons > Admin > Roles.
  4. Click Enable Auto Provisioning to confirm the role selection and enable auto provisioning for all new members.

Once enabled, you can edit default access control roles and disable auto provisioning. These changes will only apply to members provisioned after the modifications and will not affect existing members.

Enabling auto-provisioning grants all Okta Application Registration users access to Ivanti Neurons. You can restrict access to certain users or groups from within the Okta Application.

(Optional) Delete Authentication Method (Ivanti Neurons Platform)

  1. In the Ivanti Neurons Platform, navigate to Admin > Authentication.
    The Authentication page appears.

  2. In the External Authentication (SSO) section, click Actions >Delete authentication method.
    The Delete External Authentication screen appears.

  3. Click Sign Out & Re-authenticate.
    Ivanti Neurons is signed-out.

  4. Click Sign in with email and password.

  5. Enter the credentials and click Sign In.

  6. Navigate to Admin > Authentication > External Authentication, then click Actions >Delete authentication method.
    Delete External Authentication screen appears.

  7. Click Delete Authentication Method.
    The existing authentication method is now deleted.