Delegated IdP overview

In most cases Ivanti Access is deployed as a proxy between the service provider (SP) and the identity provider (IdP). In such a deployment, all federated SP traffic goes through Ivanti Access. In some cases, you may want to retain the existing SP-IdP federated setup, but deploy Access to federate a sub set of the traffic, such as traffic from mobile devices. In such cases, Ivanti Access can be deployed as a delegated IdP rather than as a proxy to the IdP. If Access is deployed as a delegated IdP, the original IdP is seen as an SP by Ivanti Access.

Ivanti Access can be deployed as the delegated IdP only for the following IdPs:

  • Idaptive
  • Microsoft ADFS
  • Okta
  • PingFederate

In an Ivanti Access configured as a delegated IdP:

  • To authenticate managed devices, configure certificate single sign-on (SSO) in the UEM.
  • To authenticate unmanaged devices, you have the option to enable Unmanaged Device Authentication in Ivanti Access. If authentication for unmanaged devices is enabled, the unmanaged device is redirected to the original IdP for forms-based authentication.