Ivanti Identity Broker integration

You have the option of integrating Xtraction with the Ivanti Identity Broker web application that is part of the Ivanti Identity Director installer.

Integrating with Identity Broker enables you to tie your Xtraction user accounts to the corresponding user accounts of an external system (known as an identity provider). Identity Broker acts as a "broker" to process authentication requests between Xtraction and a configured identity provider using the standard OpenID Connect protocol. For Xtraction, supported identity providers are:

Microsoft Azure AD, using your Azure Active Directory (includes Microsoft 365)

Okta, using your Okta instance

You do not need to own Identity Director in order to use the Identity Broker web application. You can install just Identity Broker and still be within license compliance.

Integration with Identity Broker works only with Xtraction version 2022.3.

Getting started

This topic guides you through the process of integrating Xtraction with Identity Broker. It assumes that:

You've already set up Identity Broker, which is part of the installer for Identity Director 2020.0 and higher. For details, see the Identity Broker topic Install the Identity Broker.

You're currently set up to use Azure AD, Okta, or both.

Once the above conditions are met, the broad steps to integrate Xtraction with Identity Broker are as follows:

Create Xtraction as an application in Okta, Azure AD, or both. See procedures below.

Configure Okta, Azure AD, or both as identity providers within Identity Broker. For details about configuring Azure AD, see the Identity Broker topic Configure Identity Providers > Azure Active Directory. To configure Okta as an identity provider, see the procedure below.

Configure Xtraction as an identity consumer within Identity Broker. For details, see the Identity Broker topic Configure Identity Consumers. When adding Xtraction as an identity consumer, we suggest using Xtraction as the Name and ID and entering the Redirect URIs as follows:

Redirect URI: https://<XtractionServer>/api/auth/signin-oidc

Post Logout Redirect URI: https://<XtractionServer>/xtraction/#/logout

Set up Identity Broker custom authentication within the Xtraction Settings utility. (This only needs to be done once, as it applies to both Okta and Azure AD connections.) See the procedure below.

Update the appsettings.Production.json file on your Xtraction server. See the procedure below.

Test the Identity Broker configuration. See the procedure below.

Troubleshooting tips

When starting Xtraction via Identity Broker, you may encounter the following issues:

SSL/TLS errors.

To fix: On the Xtraction server, run the following two PowerShell commands to enable SSL. A reboot will be necessary after:

Set-ItemProperty -Path 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319'

-Name 'SchUseStrongCrypto' -Value '1' -Type DWord

Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -Name

'SchUseStrongCrypto' -Value '1' -Type DWord

The following error message: "The client application is not known or is not authorized."

To fix: The ClientId and/or ClientSecret in the appsettings.Production.json file must be identical to the ones that you set for the Xtraction identity consumer in Identity Broker. Modify the .json file with the correct values (located by default at C:\Program Files (x86)\Xtraction Software\Xtraction\Web\Server), save, reset IIS, and then try again.

An error message similar to the following after entering your Azure AD or Okta credentials:

{"type":"https://tools.ietf.org/html/rfc7235#section-3.1","title":"Unauthorized","status":401,"traceId":"00-d5cd303132c8d04bb322cf100c66f53a-0d7ca7ca9040ba4a-00"}

To fix: Copy the Identity Broker certificate and install it on the Xtraction server, under the Trusted Root Certificate Authority.