Getting Started with Identity Broker

This is not the latest version of Identity Director documentation.
View available documentation.

About Identity Broker

The Identity Broker is a web application that acts as a "broker" for authentication between Ivanti Automation, Identity Director or Workspace Control portals, and their configured Identity Provider: it can process authentication requests by means of external authentication endpoints.

The Identity Broker communicates with the portals using the standard OpenID Connect protocol.

Identity Broker concepts

Identity Consumer

An Identity Consumer is a web application (for example a Management Portal or User Portal) for which the Identity Broker handles authentication. Consumers redirect to the Identity Broker using the HTTPS protocol.

To secure communication, a Consumer identifies itself to the Identity Broker by providing an ID and shared secret. A shared secret, such as a password or a private key, is a piece of data known only to the entities involved.

Identity Provider

An Identity Provider is an endpoint that the Identity Broker uses to authenticate a user. Supported Providers are:

• Identity Broker Windows Authentication Provider (part of the Identity Broker installer, also available as a separate installer)
• ADFS Provider, using your own ADFS endpoint
• Azure AD Provider, using your Azure Active Directory

Authentication sequence

When Identity Broker is used to authenticate users, the following authentication sequence is followed:

	A user browses to an Ivanti Automation, Identity Director or Workspace Control portal that is configured as an Identity Consumer (1).
	That portal (the Identity Consumer) redirects the browser to the Identity Broker for authentication (2 → 3).
	The Identity Broker redirects the browser to the Identity Provider (4 → 5).
	The Identity Provider authenticates the user (6), issues an Authentication Token, and redirects the browser back to the Identity Broker (7 → 8).
	Based on the Authentication Token issued by the Identity Provider, the Identity Broker issues a unified Identity Token (9), and redirects the browser back to the portal (10 → 11).
	Once the portal validates the Identity Token (12), the requested resource (i.e. a page on the Portal) is returned to the browser (13).

The Identity Broker itself does not have to be able to connect to the Identity Provider. The user is in the center of all communication in this sequence, and needs to be able to connect to the Identity Consumer, the Identity Broker and the Identity Provider.

The Identity Consumer and Identity Broker do not see or store the username and password for users. These components use only tokens from the Identity Provider to handle authentication requests.