Advanced: SAML
Security Assertion Markup Language (SAML) is an open standard that allows identity providers (IdP) to pass authorization credentials to service providers (SP).
Ivanti recommends to allow HTTPS traffic on port 8443 from the corporate network, limited to Ivanti applications only. This service is intended for EPMM server management and must have strictly controlled access.
This section contains the following topics:
Use this feature to allow local administrator users to use single-sign on for the Admin Portal and self-service user portal. This feature also allows administrators to automatically redirect authentication for the Admin Portal and the user portal to your external IdP.
Enabling SAML restarts Ivanti EPMM, which disrupts services until the configuration is complete. Therefore, access to the Admin Portal and self-service user portal is not available until after the SAML/IdP configuration is successfully completed. Furthermore, username/password authentication and certificate authentication to the Admin Portal and the self-service user portal will be disabled.
SAML is not supported on the System Manager portal. However, when SAML is enabled, local users can authenticate to the System Manager with a user ID and password, but not with certificate authentication.
If you set up SAML after setting the Admin Portal to run on port 8443, automatic redirection to the Admin Portal and to the self-service user portal will succeed. If you set up SAML after setting the Admin Portal to 443 redirection will not succeed until you reconfigure the Admin Portal to run on port 8443.
Ivanti recommends to allow HTTPS traffic on port 8443 from the corporate network, limited to Ivanti applications only. This service is intended for EPMM server management and must have strictly controlled access.
You must reconfigure SAML using the System Manager if both of the following are true:
- You upgraded to this version of Ivanti EPMM from a version of Ivanti EPMM prior to 10.0.0.0.
- You had configured SAML using the command line on Ivanti EPMM. Note that configuring SAML from the command line is not supported from Ivanti EPMM 9.7 through the current Ivanti EPMM release.
Contact Ivanti Technical Support if you have authentication failures in this scenario.
Configuring SAML/IdP support
This topic describes how to configure SAML over IdP. For more details, refer to Microsoft documentation.
Once set up for SAML on iReg or DEP devices, you will not be able to disable SAML from the System Manager. You must first de-select the "SAML-based registration" field in Ivanti EPMM's Device Registration page before you can disable the IdP SAML connection in the System Manager.
Before you begin
- Create at least one SAML user, with associated permissions.
- Sign up with an external IdP.
- Be able to export the metadata file from the IdP.
Procedure
- Log into the System Manager Portal.
- Go to Security > Advanced > SAML.
- Click the box to Enable SAML.
-
Read the warning message and click Yes to restart Ivanti EPMM and turn on SAML. This can take a few minutes. The Configuration Status changes from Restarting Tomcat… to In Progress, followed by Completed.
- Click Download to download the XML metadata file from Ivanti EPMM that was created as part of the Ivanti EPMM restart process.
-
Save this file locally.
-
After downloading and saving the metadata from Ivanti EPMM, upload the Ivanti EPMM metadata files to your IdP:
- Export those metadata files from your idP, and upload them to Ivanti EPMM.
- Click Done > OK.
- Verify the IdP hostname/URL and modify it, if necessary. System Manager extracts the hostname or URL from the IdP metadata file and auto-populates these fields.
- Click Apply.
If you do not complete configuring SAML, reboot Ivanti EPMM by selecting Maintenance > Reboot > Reboot in the System Manager.
Deactivating or deleting the IdP metadata file
This topic describes how to deactivate or delete the SAML/IdP option.
Procedure
- Log into the System Manager Portal.
- Go to Security > Advanced > SAML.
- Click the box to Disable SAML to deactivate SAML or click Delete to delete the SAML file.
There is no option to delete the IdP metadata file - they upload a new one which replaces the previous one.