Choosing the logon policy

This topic helps you to choose the most appropriate logon policy for your implementation. For instructions on setting the logon policy for a web application, see Setting the Logon policy.

Your implementation MUST include a Framework that has the Logon policy set to Explicit only, because whenever you upgrade the database you must be using a Framework with this logon policy. However, we do not recommend using Explicit only for users in the live system, so also create an additional Framework for the web applications to use that has one of the recommended logon policies described below. We recommend that you configure IIS IP/Domain filtering to restrict access to the Explicit Logon Framework to localhost only.

 

Are you using...

Recommendation

1

Workspaces

No – use Integrated only, unless you are also using Ivanti Endpoint Manager, in which case, go to 3.
Yes – go to 2.

2

Shibboleth/SAML on your estate

No – go to 3.
Yes – use Shibboleth only.

3

Xtraction

No – use Token only.
Yes – use Identity Server.

Notes on the above:

Integrated only – this is a legacy logon policy for organisations that use only Web Access and Console. It is easy to set up and enables users to log on without re-entering their credentials.

Shibboleth only – available for all client types and enables users to log on using their network credentials. This is appropriate if your organisation already uses SAML-based authentication such as Shibboleth.

Token only – available for all client types and enables users to log on using their network credentials.

Identity Server – available for all client types and enables users to log on using their network credentials. You must use this logon policy if you are using Ivanti Xtraction. However, users must be on the network and the web address for the application must use the Fully Qualified Domain Name.