Advanced: Portal Authentication

Use Security > Advanced > Portal Authentication to set up the authentication method for:

  • device users to access the self-service user portal
  • administrators to access the Admin Portal
  • administrators to access the System Manager

The authentication methods provided on this screen are not available if you enable SAML in the System Manager in Security > Advanced > SAML. For the Admin Portal and self-service user portal, authentication uses SAML. For the System Manager, local users authenticate to the System Manager using a user ID and password.

Related topics 

Self-service user portal authentication

Device users can authenticate to the self-service user portal using one or both of the following methods, according to how you configure Ivanti EPMM:

  • a user name and password

    These are the credentials a device user uses to register a device with Ivanti EPMM. This authentication method is the default.

  • an identity certificate from a smart card

    When using this authentication method, you can also set up the Entrust URL for getting derived credentials.

    See “User portal authentication options” in the Device Management Guide for supported platforms for authenticating with a smart card.

    Certificate authentication is also supported in FIPS mode.

The device user can be:

  • an LDAP user
  • an Admin Portal local user as set up in the Admin Portal in Devices & Users > Users.

Related topics 

Admin Portal authentication

Admin Portal administrators are set up as local users in the Admin Portal in Devices & Users > Users. They can authenticate to the Admin Portal using one or both of the following methods, according to how you configure Ivanti EPMM:

  • a user name and password

    These are the credentials for the local user as set up in the Admin Portal in Devices & Users > Users. This authentication method is the default.

  • an identity certificate from a smart card

    See “Logging in to the Admin Portal with a smart card” in Getting Started with Ivanti EPMM for supported platforms for authenticating with a smart card.

    Certificate authentication is also supported in FIPS mode.

Related topics 

System Manager authentication

System Manager administrators are set up as local users in the System Manager in Security > Local Users. They can authenticate to the System Manager using one or both of the following methods, according to how you configure Ivanti EPMM:

  • a user name and password

    These are the credentials for the local user as set up in the System Manager in Security > Local Users. This authentication method is the default.

  • an identity certificate from a smart card

    Using an identity certificate from a smart card is supported only on desktop computers. It is not supported on mobile devices. Also, it is not supported with Firefox.

    Certificate authentication is also supported in FIPS mode.

Related topics 

Certificates required for certificate authentication to Ivanti EPMM portals

To allow certificate authentication to Ivanti EPMM portals (the Admin Portal, the System Manager, and the self-service user portal), use the Ivanti EPMM System Manager to upload a PEM-formated file to Ivanti EPMM. The PEM-formatted file contains either:

  • the issuing certificate authority (CA) certificate
  • the supporting certificate chain

Ivanti EPMM does not check the certificate’s validity. Make sure the certificate that you upload is valid. That is, make sure it is not expired and not revoked.

When users sign in to an Ivanti EPMM portal, they provide an identity certificate from a smart card. The Ivanti EPMM portal authenticates the user’s identity certificate against the certificate that you uploaded to Ivanti EPMM. The same uploaded certificate is used for authentication to all the Ivanti EPMM portals.

For authentication of local users, set the User ID of the local user to the user identity from the identity certificate.

Related topics 

Certificate attribute mapping used in certificate authentication to the Ivanti EPMM portals

When the user presents an identify certificate for authentication, Ivanti EPMM authenticates the identity certificate against the issuing CA certificate or certificate chain you uploaded to Ivanti EPMM. As part of that authentication, Ivanti EPMM makes sure the user identity in the identity certificate is a valid Ivanti EPMM user. You configure which field in the identity certificate and which Ivanti EPMM substitution variable must match.

Therefore, when you upload the certificate used for authenticating user's identity certificate, you also configure the following mapping information:

  • which field from the identity certificate the authentication uses as the user identity.  The choices are:

    • the NT Principal Name
    • the RFC822 email name

    Your choice must match the Subject Alternative Name type you chose for generating the identity certificate.

    For the NT Principal Name, Ivanti EPMM uses the User Principal Name in the Subject Alternative Name (SAN) in the identity certificate.

  • the Ivanti EPMM substitution variable, against which the authentication compares the user identity.

    Allowed variables depends on the Ivanti EPMM Portal as given in the following table:

    Table 34.  supported variables in ivanti epmm

    Supported variables

    Admin Portal and Self-Service User Portal

    System Manager

    $USERID$ (default)

    Yes

    Yes

    $EMAIL$

    Yes

    Yes

    $USER_UPN$

    Yes

    No

    $EDIPI$

    For the Department of Defense only. See Using $EDIPI$ in certificate authentication.

    No

    Yes

    $USER_CUSTOM1$

    Yes

    No

    $USER_CUSTOM2$

    Yes

    No

    $USER_CUSTOM3$

    Yes

    No

    $USER_CUSTOM4$

    Yes

    No

    Your choice depends on the Ivanti EPMM variable you chose to populate the Subject Alternative Name in the identity certificate.

  • You can map up to two attributes. If a second attribute is configured, both fields in the identity certificate must match with the Ivanti EPMM substitution value.

Note The Following

  • The same user identity mapping to an Ivanti EPMM variable is used for authentication to both the user portal and the Admin Portal.
  • You separately configure the user identity mapping to an Ivanti EPMM variable for System Manager authentication.
  • Using $USER_UPN$ and $USER_CUSTOM1$ through $USER_CUSTOM4$ is only applicable for LDAP users.

  • Consider the case in which you specify the NT Principal Name as the field to use from the identity certificate, and you specify $USERID$, $EMAIL$, or $USER_UPN$ as the Ivanti EPMM substitution variable to match. Ivanti EPMM accepts both of the following formats as a match:

    • DOMAIN\userid
    • userid@domain

    That is, the NT Principal Name and the Ivanti EPMM substitution variable can have different formats, but match as long as the domain and userid match.

  • Ivanti EPMM versions prior to 10.0.0.0 always compared the User Principal Name in the Subject Alternative Name in the identity certificate to Ivanti EPMM’s list of values for the $USERID$ variable. It accepted as a match either of the formats DOMAIN\userid and userid@domain. If no match was found, Ivanti EPMM compared the RFC822 email address in the Subject Alternative Name to Ivanti EPMM’s list of values for the $EMAIL$ variable. If you are upgrading from one of those prior Ivanti EPMM releases, Ivanti EPMM continues the same behavior until you apply a new configuration in the System Manager in Security > Advanced > Portal Authentication.
  • If you use a custom LDAP variable ($USER_CUSTOM1$ through $USER_CUSTOM4$) to compare the user identity to, the variable must resolve to only one field from the certificate. Otherwise, the authentication will fail.

Related topics 

Using $EDIPI$ in certificate authentication

Using the Ivanti EPMM substitution variable $EDIPI$ is applicable only to Department of Defense customers. You enter it when adding a System Manager local user. The variable contains the Department of Defense identification number, also known as the Electronic Data Interchange Personal Identifier.

Therefore, if you are a Department of Defense customer setting up authentication to the System Manager using a certificate on a Common Access Card (CAC), you must follow these steps:

Procedure 

  1. Enter a value into the EDIPI field when you create a System Manager local user.

    Make sure the format of the $EDIPI$ value for each local user matches the format of the EDIPI value in the NT Principal Name in the user's identity certificate.

  2. Use the $EDIPI$ variable as the attribute against which the authentication compares the user identity.

    Although using $EDIPI$ is required for CAC cards, Ivanti EPMM does not enforce the selection when you configure portal authentication. Ivanti EPMM also does not ensure that you have entered a EDIPI value for the System Manager local users.

Entrust URL for getting derived credentials

When using certificate authentication to the self-service user portal, you can set up Ivanti EPMM so that users can get their Entrust derived credentials when they get their Ivanti EPMM registration PIN. Specifically, in the System Manager, you provide Ivanti EPMM with the Entrust IdentityGuard Self-Service Module (SSM) URL. This URL is a deep link that points directly to the page on the Entrust self-service portal where a user can get a derived credential.

When the user requests a derived credential on the user portal, the user portal redirects the user to the URL you provided. The user interacts with the Entrust self-service portal to get a derived credential, after which the Entrust self-service portal redirects the user back to the Ivanti EPMM user portal. The user uses the PIV-D Entrust app on a mobile device to activate the derived credential.

Related topics 

Ivanti Derived Credentials Guide for EPMM

Configuring password authentication to an Ivanti EPMM portal

You can configure the following:

  • Allow device users to authenticate with their user name and password to the self-service user portal.

  • Allow administrators to authenticate with their user name and password to the Admin Portal.

    Authenticating to the Admin Portal is the default Ivanti EPMM setting.

Procedure 

  1. Log into System Manager.
  2. Go to Security > Advanced > Portal Authentication.
  3. Select Password Authentication.
  4. Under Password Authentication, select one or more of Self-Service User Portal, Admin Portal, or System Manager.
  5. Click Apply > OK.

Related topics 

Configuring certificate authentication to the user portal

You can allow device users to authenticate to the self-service user portal with the identity certificate on a smart card.

Before you begin: Have the PEM-formatted issuing CA certificate or certificate chain available to upload to Ivanti EPMM if you have not already uploaded it for authentication to another portal.

Procedure 

  1. Log into System Manager.
  2. Go to Security > Advanced Portal Authentication.
  3. Select Certificate Authentication.
  4. Under Certificate Authentication, select Self-Service User Portal.

  5. Click Upload Issuing CA Certificate. to open the Upload Issuing CA Certificate window.

    Ivanti EPMM uses the same issuing CA certificate or certificate chain for authentication to all Ivanti EPMM portals. If you have already uploaded the file, skip this step. Continue to selecting certificate attribute mapping.

  6. Click Choose File, and select the PEM-formatted file that contains either the issuing CA certificate or the supporting certificate chain.
  7. Click Upload Certificate > OK.

  8. In Select Certificate Attribute Mapping:

    1. In the Map from attribute dropdown, select the user identity type in the identity certificate to use for authenticating the user.
    2. In the Map to attribute dropdown, select the Ivanti EPMM variable with which to compare the user identity.

    Ivanti EPMM uses the same attribute mapping for authentication to both the user portal and the Admin Portal. If you already set this mapping, skip this step.

  9. Click Apply > OK.

    Important! Clicking Apply changes Ivanti EPMM authentication behavior to compare the Map from attribute user identity type to the Map to attribute Ivanti EPMM variable. The behavior in Ivanti EPMM versions prior to 10.0.0.0 compared the User Principal Name to $USERID$ and the RFC822 email to $EMAIL$.

Related topics 

Configuring certificate authentication to the Admin Portal

You can allow administrators to authenticate to the Admin Portal with the identity certificate on a smart card.

Before you begin: Have the PEM-formatted issuing CA certificate or certificate chain available to upload to Ivanti EPMM if you have not already uploaded it for authentication to another portal.

Procedure 

  1. Log into System Manager.
  2. Go to Security > Advanced > Portal Authentication.
  3. Select Certificate Authentication.
  4. Under Certificate Authentication, select Admin Portal.

  5. Click Upload Issuing CA Certificate. to open the Upload Issuing CA Certificate window.

    Ivanti EPMM uses the same issuing CA certificate or certificate chain for authentication to all Ivanti EPMM portals. If you have already uploaded the file, skip this step. Continue to selecting certificate attribute mapping.

  6. Click Choose File, and select the PEM-formatted file that contains either the issuing CA certificate or the supporting certificate chain.
  7. Click Upload Certificate > OK.

  8. In Select Certificate Attribute Mapping:

    1. In the Map from attribute dropdown, select the user identity type in the identity certificate to use for authenticating the user.
    2. In the Map to attribute dropdown, select the Ivanti EPMM variable with which to compare the user identity.

    Ivanti EPMM uses the same attribute mapping for authentication to both the user portal and the Admin Portal. If you already set this mapping, skip this step.

  9. Click Apply > OK.

    Ivanti EPMM uses the same attribute mapping for authentication to both the user portal and the Admin Portal. If you already set this mapping, skip this step.

Related topics 

Configuring certificate authentication to the System Manager

You can allow administrators to authenticate to the System Manager with the identity certificate on a smart card.

Before you begin: Have the PEM-formatted issuing CA certificate or certificate chain available to upload to Ivanti EPMM if you have not already uploaded it for authentication to another portal.

Procedure 

  1. Log into System Manager.
  2. Go to Security > Advanced > Portal Authentication.
  3. Select Certificate Authentication.
  4. Under Certificate Authentication, select System Manager.
  5. Select PIV or CAC, depending on whether the identity certificate to authenticate is on a personal identity verification (PIV) card or common access card (CAC).

  6. Click Upload Issuing CA Certificate. to open the Upload Issuing CA Certificate window.

    Ivanti EPMM uses the same issuing CA certificate or certificate chain for authentication to all Ivanti EPMM portals. If you have already uploaded the file, skip this step. Continue to selecting certificate attribute mapping.

  7. Click Choose File, and select the PEM-formatted file that contains either the issuing CA certificate or the supporting certificate chain.
  8. Click Upload Certificate > OK.

  9. In Select Certificate Attribute Mapping:

    1. In the Map from attribute dropdown, select the user identity type in the identity certificate to use for authenticating the user.
    2. In the Map to attribute dropdown, select the Ivanti EPMM variable with which to compare the user identity. If you selected CAC when choosing CAC versus PIV, you must select $EDIPI$.
  10. Click Apply > OK.

Related topics 

Configuring the Entrust URL for getting derived credentials

Before you begin: Set up certificate authentication to the self-service user portal as described in Configuring certificate authentication to the user portal. To configure the Entrust URL for getting derived credentials:

  1. Log into System Manager.
  2. Go to Security > Advanced > Portal Authentication.

  3. Select Derived Mobile Smart Credential (Self-Service User Portal Only).

    The field Entrust IdentityGuard SSM URL appears.

  4. Enter the Entrust IdentityGuard Self-Service Module (SSM) URL.

    This URL is a deep link that points directly to the page on the Entrust self-service portal where a user can get a derived credential.

  5. Click Apply > OK.

Related topics 

  • Ivanti EPMM Derived Credentials Guide using the PIV-D Entrust App

Replacing the certificate for authentication

After you have uploaded a PEM-formated file to Ivanti EPMM, you can replace it when necessary. For example, if the existing issuing CA certificate is about to expire, upload a replacement.

Ivanti EPMM uses the same issuing CA certificate or certificate chain for authentication to all Ivanti EPMM portals.

Procedure 

  1. Log into System Manager.
  2. Go to Security > Advanced > Portal Authentication.
  3. Click Replace CA Certificate.
  4. Click Choose File, and select the PEM-formatted file that contains either the replacement issuing CA certificate or the supporting certificate chain.
  5. Click Upload Certificate > OK.
  6. Click Save > OK.

Related topics