Configuring Ivanti EPMM for SSO certificates
Simple Certificate Enrollment Protocol (SCEP) must be configured in Ivanti EPMM to generate certificates from CAs configured in Ivanti EPMM. To create the fields in user or device certificates, you must define SCEP.
LDAP source configuration
For the SCEP to request user certificates from CA, it must obtain the user information from the LDAP source. For example, Active Directory as an LDAP Source. You must configure two important attributes:
•User’s email address obtained from Active Directory. userPrincipalName is the LDAP attribute populated in the email field.
•User’s unique ID in the Active Directory. ObjectGUID is obtained and set as the attribute Custom 1.
Figure 1. LDAP source configuration
SCEP configuration
After the LDAP configuration to obtain the fields for certificates, you must define the SCEP. Add two sub-fields in the Subject Alternative Name field of the certificate.
•The sub-field of type RFC 822 Name holds the email address. As shown in the LDAP configuration, this corresponds to the $EMAIL$ directory attribute.
•The sub-field of type NT Principal Name (required only for Office 365) holds the unique immutable Id. As shown in the LDAP configuration, this corresponds to the User Custom 1 attribute.
UI displays a drop-down list of values for this attribute that does not contain the User Custom 1 option. You must enter $USER_CUSTOM1$ manually in this field value.
Figure 2. scep configuration
