Configuration Center

Identity Server is a Secure Token Service that delivers OAuth2 and OpenID Connect tokens. It acts as a login authorization service that replaces the standard logon policy for Framework and BridgeIT. Using this service, you can utilize single sign in and federated authentication.

Identity Serve also allows you to handle both explicit and token logons simultaneously through the framework.

To set up Identity Server, see the process overview.

When you have installed the software to run on your Ivanti Web Server, you need to use the Configuration Center to create an instance, an application pool, and then the required web applications.

From a web browser, open https://[server name]/ConfigurationCenter.

Replace [server name] with the name of your Ivanti Web server. The page automatically logs you in with your Ivanti® Endpoint Manager credentials. Select the one instance option available.

By default, both My.Framework and My.BridgeIT are installed to your instance.

Your login credentials are specific to your Ivanti core server. Just follow the normal Windows rules for remote login (i.e., if the user is local to that core server, just enter the user name; if the user is a domain user, enter the domain name\user name).

The Identity Server logon policy allows you to handle both token and explicit connection types. While this setting is not exclusive to users wanting Identity Server, we recommend making this change as a long-term solution. It can remove the need to specify only one Windows logon method or the other, instead allowing you to handle both simultaneously.

If you want to use the Identity Server, this task must be completed.

To change the logon policy

1.Click Edit next to the My.Framework application.

2.Change the Logon policy to Identity Server.

3.Click OK to save.

If you're setting up Identity Server, continue to the task below for changing the BridgeIT logon policy.

If you've upgraded to Ivanti® Endpoint Manager 2016.4 from a previous version, then you must update your framework for users to access Workspaces. Until this is performed, Workspaces is no longer accessible to users.

•For environments using only Ivanti® Endpoint Manager 2016.4, this upgrade is required to use Workspaces.

•For integrated environments using Ivanti® Endpoint Manager and Service Desk 2016.4 with an integrated Workspace, this upgrade is required, but must be performed in a specific order.

From the Configuration Center, click Update next to the My.Framework application. The update begins.

Plan this task accordingly, as the update may take some time to complete. Once complete, you'll need to perform the next task below of changing the Framework Logon policy to Identity Server.

When using the Identity Server with Ivanti® Endpoint Manager, all configuration settings are automatically populated with the details needed to run it from your LDAP database.

This step must be done prior to changing the logon policy for BridgeIT to Identity Server.

To use the Identity Server, you must first add it as an application

1.Under Available Applications, click Create for Identity Server. The Identity Server Secret is automatically populated with the values set from the BridgeIT application.

2.Set the User Consent Expiration (Days) as desired. By default, this is set to 7. This determines how often users must allow their user identifier to be used when accessing Workspaces before they are prompted to give access once again.

3.Click OK.

Organizations use different methods of user authentication. Companies using Active Directory or logins explicit to Ivanti® Endpoint Manager only will use the Token only option, whereas the Explicit only logon policy is more relevant to Service Desk users.

Selecting a logon policy defines the authentication method you wish to use when determining which users credentials you want to leverage. Specific services will require certain logon policies.

BridgeIT must connect to a framework with the same Logon policy. For example, if BridgeIT is set to Token only, then you must also set the Framework to Token only.

•Explicit only. This option is available for all applications. When selected, users must enter their Ivanti Service Desk credentials to access the applications each time they log in.

•Integrated only. This option is available for Framework and Web Access. By picking this option, the Identity Server uses the user's network credentials to identify their corporate account and log in automatically.

•Token only. This is the default, and available for Framework, Web Access, and BridgeIT. We recommend using this specifically for Web Access and BridgeIT. This option provides single sign-on (SSO) for Web Access and BridgeIT using Ivanti's Secure Token Server (STS). The STS is installed as part of the Ivanti Service Desk or Asset Central server installation option. SSO allows users to log in once to access a variety of different applications through the use of a single username and password. If you use the STS, this means that users can log in to Workspaces (BridgeIT) or Web Access with their Active Directory username and password.

•Shibboleth only. This option is available for Framework, Web Access, and BridgeIT. Shibboleth must be configured to pass the user's identity in the URL request that is sent to Ivanti® Endpoint Manager. For more information about configuring Shibboleth, see Service Desk's documentation on Configuring Shibboleth authentication. You'll need to include the following in the header of the form:

?http_landesk_user=userid

If the Logon policy is set to Shibboleth only, secure access to Workspaces becomes the sole responsibility of Shibboleth.

•Identity Server. This option allows you to use the Identity Server, a login authorization service that utilizes both Explicit and Token logon policies.

As part of the process for configuring use of the Identity Server, you must configure the BridgeIT app before creating the Identity Server application.

If you want to handle all user logins to Workspaces with Identity Server, you'll need to change the logon policy for the BridgeIT application.

Devices from outside the network cannot use the Identity Server for authentication. If users need to access Workspaces via an address other than the fully-qualified domain name of the server, then you must create another BridgeIT application with the Token only logon policy.

To redirect the BridgeIT application to use Identity Server

1.Click Edit for the My.BridgeIT application.

2.Open the drop-down menu for Logon policy and select Identity Server. The Identity Server Secret and Identity Server Url automatically populates.

3.Click OK.

Discovery Services allows you to collect discovery data from third-party sources. You can monitor this device data from the Workspaces interface, as well as make changes.

To enable device discovery

1.Click Edit for the My.BridgeIT application.

2.For the Discovery Web Api Url field, enter https://[hostname]/discovery\api, replacing [hostname] with your core server hostname.

3.If needed, enter the User Name and Password for STS and click Test STS Connection to ensure a connection can be made between services.

4.Click OK.

Once completed, you can continue device discovery setup on Workspaces.