Configuring multi-factor authentication in Ivanti Access for Authenticator

Multi-factor authentication requires an Ivanti Access deployment, as well as additional configurations for multi-factor authentication in Ivanti Access.

Before you begin 

•Ensure that you have an Ivanti Access deployment.

See Set up Ivanti Access with UEM.

Procedure: Overview of steps

1. Configure multi-factor authentication in Ivanti Access.
   See Configuring user ID for multi-factor authentication
   
2. Add a conditional rule in Ivanti Access for enabling multi-factor authentication, which triggers authentication using the Authenticator app.
   See Adding a conditional rule for the Authenticator app.
3. Configure the user identifying information to use with the Authenticator app. Authenticator extracts the user identifying information from the certificate associated with Ivanti Tunnel.
   See Configuring multi-factor authentication in Ivanti Access for Authenticator.
4. Configure your company branding. Users see the branding on the messages on the device from which they attempt to access cloud services and on the Authenticator app.
   See Configuring branding for multi-factor authentication in Ivanti Access.
5. Publish the changes.
   See Publishing the changes.
6. Add the Authenticator app to EMM for distribution to managed devices.
   See the following:
   • Adding the Authenticator app to Ivanti Neurons for MDM
   • Adding the Authenticator app to Ivanti EPMM.

Configuring user ID for multi-factor authentication

Enable multi-factor authentication in Ivanti Access in Profile > SaaS Sign-on. You will also map the fields from which Authenticator gets user identifying information.

Before you begin 

Upload a sample Ivanti Tunnel certificate in Profile > User Certificates. For more information, see User Certificates.

Procedure 

1. In Ivanti Access, go to Profile > Client Registration Settings.
2. For User Certificate, select the user certificate from which to get the user identification information.
   The user certificate is the Ivanti Tunnel sample certificate you uploaded to Ivanti Access.
3. For Field Name, select the field from which Authenticator gets user identifying information.
4. (Optional) For Additional transforms, enter a MiTra expression.
   Configure a MiTra expression if the value in the certificate does not map directly to the user identifying information.
   Example: select:X509:SubjectAltName:rfc822Name
5. Click Save Registration.

One time pass code (OTP) is enabled by default.

Next steps 

Add a conditional rule for the Authenticator app. See Adding a conditional rule for the Authenticator app.

Related topics 

For information about MiTra expressions, see Language to generate values from certificate fields.

Adding a conditional rule for the Authenticator app

In the default policy in Ivanti Access, add a Multi-Factor Authentication conditional rule. The rule triggers multi-factor authentication using the Authenticator app.

Procedure 

1. In Ivanti Access, go to Profile > Conditional Access.
2. Expand Default Policy.
3. Click +Add Rule > Multi-Factor Authentication to add the conditional rule for the Authenticator app.

4. Complete the requested fields.

   Item	Description
   Name	Enter a name for the multi-factor authentication rule.
   Description	Enter a descriptive text for the rule.
   Map the Identity Provider (IDP) user ID to Authenticator user ID	Select one of the following: •SAML Subject (Default) •SAML Attribute
   Additional transforms	(Optional) Enter a MiTra expression. Configure a MiTra expression, if the value in the federation response does not map directly to the user identifying information. Example: The certificate contains the base-64 representation of the user ID, however you need the hex representation. Enter the following: decode:Base64
   Rule Action	From the drop down menu, select Allow.

5. Click Done to save the policy and rule.
   The rule appears at top of the list in the policy.
6. Ensure that the Trusted App and Device rule is enabled and move the Trusted App and Device rule to the top of the list.
7. Edit the General Bypass rule, and set the Action for the rule to Block.

You can create additional conditional rules to further define how the Authenticator app is triggered. For example, you can create an User Info Rule to trigger multi-factor authentication for only a certain set of users or groups

Next steps 

Configure branding. See Configuring branding for multi-factor authentication in Ivanti Access.

Related topics 

For information about MiTra expressions, see Language to generate values from certificate fields.

Configuring branding for multi-factor authentication in Ivanti Access

Customize the user experience for your enterprise users by uploading your company logo to Ivanti Access. The user notification screen as well as the Authenticator app are customized to display your company logo.

Ensure that your company logo is no more than 260 pixels wide by 30 pixels high. Supported file types are: PNG, JPG, JPEG, and SVG.

Procedure 

1.

In Ivanti Access, go to Profile > Branding.

2.

In the Authenticator section, drag and drop your company logo or click Choose to navigate to the location of the file and add.

Next steps 

Publish the updates. See Publishing the changes.

Publishing the changes

Publish the changes to make the updates available.

Procedure 

1.

In the Ivanti Access administrative portal, go to Profile > Overview.

2.

Click Publish.

Publish is only available if a federated pair has been created.

3.

Click OK.

Next steps 

Add the Authenticator app to Ivanti Neurons for MDM for distribution to managed devices. See the following:

•Adding the Authenticator app to Ivanti Neurons for MDM

•Adding the Authenticator app to Ivanti EPMM

Related topics 

Publishing a profile