Advanced: Portal Authentication

Use Security > Advanced > Portal Authentication to set up the authentication method for:

  • device users to access the self-service user portal
  • administrators to access the Admin Portal
  • administrators to access the System Manager
NOTE: The authentication methods provided on this screen are not available if you enable SAML in the System Manager in Security > Advanced > SAML. For the Admin Portal and self-service user portal, authentication uses SAML. For the System Manager, local users authenticate to the System Manager using a user ID and password.

Related topics 

Self-service user portal authentication

Device users can authenticate to the self-service user portal using one or both of the following methods, according to how you configure MobileIron Core:

  • a user name and password

    These are the credentials a device user uses to register a device with MobileIron Core. This authentication method is the default.

  • an identity certificate from a smart card

    When using this authentication method, you can also set up the Entrust URL for getting derived credentials.

    See “User portal authentication options” in the Device Management Guide for supported platforms for authenticating with a smart card.

    NOTE: Certificate authentication is also supported in FIPS mode.

The device user can be:

  • an LDAP user
  • an Admin Portal local user as set up in the Admin Portal in Devices & Users > Users.

Related topics 

Admin Portal authentication

Admin Portal administrators are set up as local users in the Admin Portal in Devices & Users > Users. They can authenticate to the Admin Portal using one or both of the following methods, according to how you configure MobileIron Core:

  • a user name and password

    These are the credentials for the local user as set up in the Admin Portal in Devices & Users > Users. This authentication method is the default.

  • an identity certificate from a smart card

    See “Logging in to the Admin Portal with a smart card” in Getting Started with MobileIron Core for supported platforms for authenticating with a smart card.

    NOTE: Certificate authentication is also supported in FIPS mode.

Related topics 

System Manager authentication

System Manager administrators are set up as local users in the System Manager in Security > Local Users. They can authenticate to the System Manager using one or both of the following methods, according to how you configure MobileIron Core:

  • a user name and password

    These are the credentials for the local user as set up in the System Manager in Security > Local Users. This uthentication method is the default.

  • an identity certificate from a smart card

    Using an identity certificate from a smart card is supported only on desktop computers. It is not supported on mobile devices. Also, it is not supported with Firefox.

    NOTE: Certificate authentication is also supported in FIPS mode.

Related topics 

Certificates required for certificate authentication to Core portals

To allow certificate authentication tp MobileIron Core portals (the Admin Portal, the System Manager, and the self-service user portal), use the MobileIron Core System Manager to upload a PEM-formated file to Core. The PEM-formatted file contains either:

  • the issuing certificate authority (CA) certificate
  • the supporting certificate chain

MobileIron Core does not check the certificate’s validity. Make sure the certificate that you upload is valid. That is, make sure it is not expired and not revoked.

When users sign in to a Core portal, they provide an identity certificate from a smart card. The Core portal authenticates the user’s identity certificate against the certificate that you uploaded to Core. The same uploaded certificate is used for authentication to all the Core portals.

NOTE: For authentication of local users, set the User ID of the local user to the user identity from the identity certificate.

Related topics 

Certificate attribute mapping used in certificate authentication to the Core portals

When the user presents an identify certificate for authentication, MobileIron Core authenticates the identity certificate against the issuing CA certificate or certificate chain you uploaded to Core. As part of that authentication, Core makes sure the user identity in the identity certificate is a valid Core user. You configure which field in the identity certificate and which Core substitution variable must match.

Therefore, when you upload the certificate used for authenticating user's identity certificate, you also configure the following mapping information:

  • which field from the identity certificate the authentication uses as the user identity.  The choices are:

    • the NT Principal Name
    • the RFC822 email name

    Your choice must match the Subject Alternative Name type you chose for generating the identity certificate.

    NOTE: For the NT Principal Name, MobileIron Core uses the User Principal Name in the Subject Alternative Name (SAN) in the identity certificate.

  • the Core substitution variable, against which the authentication compares the user identity.

    Allowed variables depends on the Core Portal as given in the following table:

    Table 1. Supported variables in Core

    Supported variables

    Admin Portal and Self-Service User Portal

    System Manager

    $USERID$ (default)

    Yes

    Yes

    $EMAIL$

    Yes

    Yes

    $USER_UPN$

    Yes

    No

    $EDIPI$

    For the Department of Defense only. See Using $EDIPI$ in certificate authentication.

    No

    Yes

    $USER_CUSTOM1$

    Yes

    No

    $USER_CUSTOM2$

    Yes

    No

    $USER_CUSTOM3$

    Yes

    No

    $USER_CUSTOM4$

    Yes

    No

    Your choice depends on the Core variable you chose to populate the Subject Alternative Name in the identity certificate.

  • You can map up to two attributes. If a second attribute is configured, both fields in the identity certificate must match with the Core substitution value.

Note The Following:  

  • The same user identity mapping to a Core variable is used for authentication to both the user portal and the Admin Portal.
  • You separately configure the user identity mapping to a Core variable for System Manager authentication.
  • Using $USER_UPN$ and $USER_CUSTOM1$ through $USER_CUSTOM4$ is only applicable for LDAP users.

  • Consider the case in which you specify the NT Principal Name as the field to use from the identity certificate, and you specify $USERID$, $EMAIL$, or $USER_UPN$ as the Core substitution variable to match. MobileIron Core accepts both of the following formats as a match:

    • DOMAIN\userid
    • userid@domain

    That is, the NT Principal Name and the Core substitution variable can have different formats, but match as long as the domain and userid match.

  • Core versions prior to 10.0.0.0 always compared the User Principal Name in the Subject Alternative Name in the identity certificate to Core’s list of values for the $USERID$ variable. It accepted as a match either of the formats DOMAIN\userid and userid@domain. If no match was found, Core compared the RFC822 email address in the Subject Alternative Name to Core’s list of values for the $EMAIL$ variable. If you are upgrading from one of those prior Core releases, Core continues the same behavior until you apply a new configuration in the System Manager in Security > Advanced > Portal Authentication.
  • If you use a custom LDAP variable ($USER_CUSTOM1$ through $USER_CUSTOM4$) to compare the user identity to, the variable must resolve to only one field from the certificate. Otherwise, the authentication will fail.

Related topics 

Using $EDIPI$ in certificate authentication

Using the MobileIron Core substitution variable $EDIPI$ is applicable only to Department of Defense customers. You enter it when adding a System Manager local user. The variable contains the Department of Defense identification number, also known as the Electronic Data Interchange Personal Identifier.

Therefore, if you are a Department of Defense customer setting up authentication to the System Manager using a certificate on a Common Access Card (CAC), you must follow these steps:

Procedure 

  1. Enter a value into the EDIPI field when you create a System Manager local user.

    Make sure the format of the $EDIPI$ value for each local user matches the format of the EDIPI value in the NT Principal Name in the user's identity certificate.

  2. Use the $EDIPI$ variable as the attribute against which the authentication compares the user identity.

    Although using $EDIPI$ is required for CAC cards, MobileIron Core does not enforce the selection when you configure portal authentication. Core also does not ensure that you have entered a EDIPI value for the System Manager local users.

Entrust URL for getting derived credentials

When using certificate authentication to the self-service user portal, you can set up MobileIron Core so that users can get their Entrust derived credentials when they get their Core registration PIN. Specifically, in the System Manager, you provide Core with the Entrust IdentityGuard Self-Service Module (SSM) URL. This URL is a deep link that points directly to the page on the Entrust self-service portal where a user can get a derived credential.

When the user requests a derived credential on the user portal, the user portal redirects the user to the URL you provided. The user interacts with the Entrust self-service portal to get a derived credential, after which the Entrust self-service portal redirects the user back to the MobileIron Core user portal. The user uses the PIV-D Entrust app on a mobile device to activate the derived credential.

Related topics 

  • MobileIron Core Derived Credentials Guide

Configuring password authentication to a Core portal

You can configure the following:

  • Allow device users to authenticate with their user name and password to the self-service user portal.
  • Allow administrators to authenticate with their user name and password to the Admin Portal.
  • Allow administrators to authenticate with their user name and password to the System Manager.
NOTE: This authentication method is the default MobileIron Core setting.

Procedure 

  1. Log into System Manager.
  2. Go to Security > Advanced > Portal Authentication.
  3. Select Password Authentication.
  4. Under Password Authentication, select one or more of Self-Service User Portal, Admin Portal, or System Manager.
  5. Click Apply > OK.

Related topics 

Configuring certificate authentication to the user portal

You can allow device users to authenticate to the self-service user portal with the identity certificate on a smart card.

Before you begin: Have the PEM-formatted issuing CA certificate or certificate chain available to upload to MobileIron Core if you have not already uploaded it for authentication to another portal.

Procedure 

  1. Log into System Manager.
  2. Go to Security > Advanced Portal Authentication.
  3. Select Certificate Authentication.
  4. Under Certificate Authentication, select Self-Service User Portal.

  5. Click Upload Issuing CA Certificate. to open the Upload Issuing CA Certificate window.

    NOTE: MobileIron Core uses the same issuing CA certificate or certificate chain for authentication to all Core portals. If you have already uploaded the file, skip this step. Continue to selecting certificate attribute mapping.
  6. Click Choose File, and select the PEM-formatted file that contains either the issuing CA certificate or the supporting certificate chain.
  7. Click Upload Certificate > OK.

  8. In Select Certificate Attribute Mapping:

    1. In the Map from attribute dropdown, select the user identity type in the identity certificate to use for authenticating the user.
    2. In the Map to attribute dropdown, select the Core variable with which to compare the user identity.
    NOTE: MobileIron Core uses the same attribute mapping for authentication to both the user portal and the Admin Portal. If you already set this mapping, skip this step.

  9. Click Apply > OK.

    IMPORTANT: Clicking Apply changes Core authentication behavior to compare the Map from attribute user identity type to the Map to attribute Core variable. The behavior in Core versions prior to 10.0.0.0 compared the User Principal Name to $USERID$ and the RFC822 email to $EMAIL$.

Related topics 

Configuring certificate authentication to the Admin Portal

You can allow administrators to authenticate to the Admin Portal with the identity certificate on a smart card.

Before you begin: Have the PEM-formatted issuing CA certificate or certificate chain available to upload to MobileIron Core if you have not already uploaded it for authentication to another portal.

Procedure 

  1. Log into System Manager.
  2. Go to Security > Advanced > Portal Authentication.
  3. Select Certificate Authentication.
  4. Under Certificate Authentication, select Admin Portal.

  5. Click Upload Issuing CA Certificate. to open the Upload Issuing CA Certificate window.

    NOTE: MobileIron Core uses the same issuing CA certificate or certificate chain for authentication to all Core portals. If you have already uploaded the file, skip this step. Continue to selecting certificate attribute mapping.
  6. Click Choose File, and select the PEM-formatted file that contains either the issuing CA certificate or the supporting certificate chain.
  7. Click Upload Certificate > OK.

  8. In Select Certificate Attribute Mapping:

    1. In the Map from attribute dropdown, select the user identity type in the identity certificate to use for authenticating the user.
    2. In the Map to attribute dropdown, select the Core variable with which to compare the user identity.
    NOTE: MobileIron Core uses the same attribute mapping for authentication to both the user portal and the Admin Portal. If you already set this mapping, skip this step.

  9. Click Apply > OK.

    NOTE: MobileIron Core uses the same attribute mapping for authentication to both the user portal and the Admin Portal. If you already set this mapping, skip this step.
NOTE: MobileIron Core uses the same attribute mapping for authentication to both the user portal and the Admin Portal. If you already set this mapping, skip this step.

Related topics 

Configuring certificate authentication to the System Manager

You can allow administrators to authenticate to the System Manager with the identity certificate on a smart card.

Before you begin: Have the PEM-formatted issuing CA certificate or certificate chain available to upload to MobileIron Core if you have not already uploaded it for authentication to another portal.

Procedure 

  1. Log into System Manager.
  2. Go to Security > Advanced > Portal Authentication.
  3. Select Certificate Authentication.
  4. Under Certificate Authentication, select System Manager.
  5. Select PIV or CAC, depending on whether the identity certificate to authenticate is on a personal identity verification (PIV) card or common access card (CAC).

  6. Click Upload Issuing CA Certificate. to open the Upload Issuing CA Certificate window.

    NOTE: MobileIron Core uses the same issuing CA certificate or certificate chain for authentication to all Core portals. If you have already uploaded the file, skip this step. Continue to selecting certificate attribute mapping.
  7. Click Choose File, and select the PEM-formatted file that contains either the issuing CA certificate or the supporting certificate chain.
  8. Click Upload Certificate > OK.

  9. In Select Certificate Attribute Mapping:

    1. In the Map from attribute dropdown, select the user identity type in the identity certificate to use for authenticating the user.
    2. In the Map to attribute dropdown, select the Core variable with which to compare the user identity. If you selected CAC when choosing CAC versus PIV, you must select $EDIPI$.
  10. Click Apply > OK.

Related topics 

Configuring the Entrust URL for getting derived credentials

Before you begin: Set up certificate authentication to the self-service user portal as described in Configuring certificate authentication to the user portal. To configure the Entrust URL for getting derived credentials:

  1. Log into System Manager.
  2. Go to Security > Advanced > Portal Authentication.

  3. Select Derived Mobile Smart Credential (Self-Service User Portal Only).

    The field Entrust IdentityGuard SSM URL appears.

  4. Enter the Entrust IdentityGuard Self-Service Module (SSM) URL.

    This URL is a deep link that points directly to the page on the Entrust self-service portal where a user can get a derived credential.

  5. Click Apply > OK.

Related topics 

  • MobileIron Core Derived Credentials Guide using the PIV-D Entrust App

Replacing the certificate for authentication

After you have uploaded a PEM-formated file to Core, you can replace it when necessary. For example, if the existing issuing CA certificate is about to expire, upload a replacement.

NOTE: MobileIron Core uses the same issuing CA certificate or certificate chain for authentication to all Core portals.

Procedure 

  1. Log into System Manager.
  2. Go to Security > Advanced > Portal Authentication.
  3. Click Replace CA Certificate.
  4. Click Choose File, and select the PEM-formatted file that contains either the replacement issuing CA certificate or the supporting certificate chain.
  5. Click Upload Certificate > OK.
  6. Click Save > OK.

Related topics