Authentication flow with Ivanti Access
The following describe the authentication flow with Ivanti Access.
•Managed non-AppConnect app using Ivanti Tunnel
•AppConnect apps with Ivanti Access enabled (Ivanti EPMM only)
This section is not applicable if you are deploying Access + Standalone Sentry.
Managed non-AppConnect app using Ivanti Tunnel
The following describes the authentication flow when a managed non-AppConnect app accesses a enterprise cloud service.
Figure 1. Authentication flow for a managed non-appconnect app 
| 1. | A managed app triggers Ivanti Tunnel. |
| 2. | If the device is in compliance, Ivanti Tunnel establishes a secure connection with Ivanti Access. |
| 3. | The managed app connects to the service provider (SP) through Ivanti Tunnel. |
Split Tunneling is enabled: If split tunneling is enabled, and the split tunneling does not require tunneled connection to the service provider, the app connects directly with the service provider.
| 4. | If the managed app does not have a valid session token, the SP issues a SAML 2.0 AuthN Request to the app and redirects the app to Ivanti Access. |
| 5. | Ivanti Access issues a secondary SAML AuthN Request based on the AuthN Request in step 4. The AuthN Request is issued via SAML and points the user to the identity provider (IdP). |
| 6. | If the user does not have a current valid session token, the identity provider (IdP) requests the user’s credentials. If the credentials match, the IdP issues a SAML Assertion to the user. The SAML Assertion identifies the user and redirects the user to Access. |
| 7. | The user presents the SAML Assertion to Ivanti Access. If conditional rules for access control allow, Ivanti Access issues a secondary SAML Assertion to the user. The secondary SAML Assertion identifies the user and redirects the user to the cloud service (SP). |
| 8. | The user presents the secondary SAML Assertion to the cloud service (SP). The SP verifies the secondary SAML Assertion and creates a session token to the app. The session token gives the user access to the SP. |
AppConnect apps with Ivanti Access enabled (Ivanti EPMM only)
AppConnect apps with Ivanti Access enabled automatically use HTTP tunnel to Ivanti Access.