Authentication flow with Access as the delegated IdP

The following graphic provides the authentication flow with Access as delegated IdP for managed devices:

Figure 1. Authentication flow with Access as the delegated IdP

1. Users access a service provider (SP) from a managed app. The managed app triggers Ivanti Tunnel.
2. If the app does not have a valid session token, the SP issues an authentication request to the app and redirects the app to the identity provider (IdP).
3. The IdP issues a secondary authentication request based on the authentication request in step 2 and points the user to Ivanti Access (delegated IdP).
4. Ivanti Access identifies the user based on the certificate used to establish the Ivanti Tunnel VPN. Based on the information provided in the Ivanti Tunnel certificate, Access generates an authentication response to the app and redirects to the original identity provider (IdP). Access determines the contents of the authentication response based on the Native Mobile Application Single Sign-On (SSO) configuration in Access, which includes the user identifying information that the SP expects.
5. The original IdP generates an authentication response to the app based on the authentication response in step 4 and redirects to the original SP.
6. The SP verifies the user information and creates a session token to the app. The session token gives the user access to the SP.