Zero sign-on support in Ivanti Access using FIDO hardware keys for unmanaged desktops

For unmanaged desktops, users can now use their FIDO enabled hardware keys to access the service provider with zero sign-on.

When the user is authenticated using certificate-based SSO, attribute mappings in Ivanti Access federated pair configuration are required to populate the attributes to be sent to Service Provider (SP) in SAML assertion. The attribute mappings and transformation configured in Federated pair is used to extract and transform the user attributes in Identity certificate to service provider specific attributes when constructing SAML assertion.

With FIDO hardware security key, identity certificate is not available to Ivanti Access or used to authenticate the user. Consequently, there is no option available to obtain user attributes from certificate to generate SAML assertion after FIDO authentication.

The following procedure must be completed to configure hardware keys:

  • Admin Configures Ivanti Access to use Access Attributes

  • Admin Configures a User Portal (to register and manage keys)

  • User logon to User Portal and register hardware key

  • User logon to SP using "Sign in using Register Key" option on ZSO interaction page.

Use case

  • Allow users to sign-in to the federated service without password from an unmanaged desktop.

For managed desktops, use Ivanti Tunnel or Authenticate.