Authentication flow with Ivanti Access + Standalone Sentry
The following describe the authentication flow in an Ivanti Access + Standalone Sentry deployment.
•Managed non-AppConnect app using Ivanti Tunnel and Standalone Sentry
•AppConnect apps using AppTunnel with Ivanti Access + Standalone Sentry
Managed non-AppConnect app using Ivanti Tunnel and Standalone Sentry
The following describes the authentication flow when a managed non-AppConnect app accesses a enterprise cloud service in an Ivanti Access + Standalone Sentry deployment.
Figure 1. Authentication flow for a managed non-appconnect app
1. | A managed app triggers Ivanti Tunnel. |
2. | If the device is in compliance, Ivanti Tunnel establishes a secure connection with Standalone Sentry. |
3. | The managed app connects to the service provider (SP) through Ivanti Tunnel. |
Split Tunneling is enabled: If split tunneling is enabled, and the split tunneling does not require tunneled connection to the service provider, the app connects directly with the service provider.
4. | If the managed app does not have a valid session token, the SP issues a SAML 2.0 AuthN Request to the app and redirects the app to Ivanti Access on Standalone Sentry. |
5. | Ivanti Access issues a secondary SAML AuthN Request based on the AuthN Request in step 4. The AuthN Request is issued via SAML and points the user to the identity provider (IdP). |
6. | If the user does not have a current valid session token, the identity provider (IdP) requests the user’s credentials. If the credentials match, the IdP issues a SAML Assertion to the user. The SAML Assertion identifies the user and redirects the user to Access. |
7. | The user presents the SAML Assertion to Access on Standalone Sentry. If conditional rules for access control allow, Ivanti Access issues a secondary SAML Assertion to the user. The secondary SAML Assertion identifies the user and redirects the user to the cloud service (SP). |
8. | The user presents the secondary SAML Assertion to the cloud service (SP). The SP verifies the secondary SAML Assertion and creates a session token to the app. The session token gives the user access to the SP. |
AppConnect apps using AppTunnel with Ivanti Access + Standalone Sentry
Authentication traffic for managed apps goes to Ivanti Tunnel. For AppConnect apps that use AppTunnel, authentication traffic automatically goes through Ivanti Access. By default, AppTunnel traffic is trusted by Ivanti Access.