Setting the Logon policy
When you set up a Framework, Web Access, or BridgeIT application using Configuration Centre, you can specify the Logon policy you want to use. For information about choosing the most appropriate logon policy, see Choosing the logon policy. The options are:
- Explicit only – this is available for all three applications. With this option, users enter their Service Desk or Asset Manager user name and password to access the application each time they start it.
You need to use a Framework application that has the Logon policy set to Explicit only whenever you upgrade the database. For more information about upgrading your database, see Upgrading the Ivanti database.
- Integrated only – available for Framework and Web Access. With this option, Service Desk and Asset Manager use the user's network login to identify their Service Desk and Asset Manager user account, and logs them on automatically.
- Token only – available for Framework, Web Access and BridgeIT. This option provides single sign-on (SSO) for Web Access and Workspaces using Ivanti Secure Token Server (STS). STS is installed as a part of the Ivanti Service Desk or Asset Manager Server installation option.
Single sign-on enables users to log in once to access a number of different applications using a single user name and password. If you use STS, this means that users can log in to Workspaces (BridgeIT) or Web Access using their Active Directory user name and password – which are typically the same credentials that they use to log on to the network.
BridgeIT and Console must both connect to a Framework that has a matching Logon policy. Therefore, if you set BridgeIT to use Token only, you must also set the Framework to which it connects to use Token only. In this instance, as Console does not support Token only, you must also create a Framework that connects to the same database, but which uses a matching Logon policy to your Console implementations.
When you select Token only as the Logon policy for an application, you need to specify the following values:
STS Issue Token Url – the URL for the STS Issue Token that you want to use (for example, https://servername/STS/IssueToken)
User Name and Password – the credentials for a Windows Administrator account for the server hosting STS.
Web Access connects directly to the database itself, so you do not need a Framework with a Logon policy that matches that of Web Access.
If you are also connecting BridgeIT to Ivanti Endpoint Manager, then you must have a Framework with the Logon policy set to Token only or Identity Server.
If your BridgeIT application has the Logon policy set to Explicit only, then users sign in using their Service Desk or Asset Manager credentials; if it is set to Token only, they sign in with their network credentials.
- Shibboleth only – available for Framework, Web Access and BridgeIT.
BridgeIT must connect to a Framework that has a matching Logon policy. Therefore, if you set BridgeIT to use Shibboleth only, you must also set the Framework to which it connects to use Shibboleth only. In this instance, as Console does not support Shibboleth only, you must also create a Framework that connects to the same database, but which uses a matching Logon policy to your Console implementations.
Before configuring Service Desk or Asset Manager to use Shibboleth authentication, you need to configure Shibboleth to pass the user's identity in the URL requests that are sent to Service Desk or Asset Manager. You need to configure this so that the User ID is passed as a header in the URL in the form:
?http_landesk_user=userid.
With the Logon policy set to Shibboleth only, secure access to Service Desk and Asset Manager becomes the responsibility of the SAML Authentication Provider (for example, Shibboleth).
For information about configuring Shibboleth, see the documentation supplied with it and Configuring Shibboleth authentication.
- Identity Server – a login authorisation service that provides both Explicit and Token logon policies available for Framework, Web Access and BridgeIT for internal systems. For this option, you need to create an Identity Server web application – for more information, see Creating the Web Applications.
For Integrated only, Token only, Shibboleth only, and Identity Server, you need to associate Service Desk and Asset Manager users with a network login using the Administration component in the Console.
For more information about user management, see User Management.
To associate a Service Desk or Asset Manager user with a network login:
- In the Administration component of console, expand the User Management tree.
- Expand the Users branch and select the required user.
- In the Actions list, click Add Network Login.
The Network Login dialog appears. - Enter the Network Login for the user (in the format domain\username), then click OK.
The network login appears in the Network Login folder under the user.
Consider creating another Web Access and BridgeIT application in the same instance, connecting to the same database, but with the Logon policy set to Explicit only. This will enable users who do not have a network login, but who do have a Service Desk or Asset Manager account, to access your Service Desk or Asset Manager system using a different web address.