Setting Zero Sign-on security and user experience

Users can customize the security and user experience of Zero Sign-on. You can find the settings in Profile > Zero Sign-on > Zero Sign-on Settings. It lists the following configuration options:

• General: Setting the session timeout duration

• Authenticate: Registering with Authenticate

• FIDO Key: FIDO Key

• Security Key and Biometrics: Security Key and Biometrics

Setting the session timeout duration

Use the Zero Sign-on configuration, Profile >Zero Sign-on, to do the following:

• Set the session timeout duration after users authenticate using Zero Sign-on.

  Once user authenticates on their managed or personal device, they don’t have to sign-in next time while they are within the signed-in session duration. Except if the policy associated to the Service Provider requires Step-Up Authentication, then user would be prompted for it. Session is terminated by closing the browser.

Procedure 

1. In Ivanti Access, go to Profile > Zero Sign-on.
   

2. Click Zero Sign-on Settings> General to update the number of hours, if needed, for Enable Signed In Session.
   
   

3. By default, the option is enabled and the number of hours is set at 12. The option sets the session timeout that is applied when users select the Yes, this is my personal computer option in the Zero Sign-on interaction page.

4. Click Save .

Registering with Authenticate

After an automatic installation , Authenticate connects with Ivanti Access to register to the desktop to the appropriate user.

You can register in one of the following methods:

• Silent: Registration is done by fetching the username from the desktop identity certificate.

• Require QR code scan to register: User must open Authenticate application and scan the QR code using Go app. The username is then obtained from the mobile device identity certificate.

Unlocking the desktop

Desktop unlock is a secure and convenient method of unlocking user's desktop using a phone. The Authenticate application on the desktop works in conjunction with Ivanti Access to send a push notification to the user's activated mobile phone to authenticate and unlock the desktop. Keep the toggle on in Profile > Zero Sign-on > Zero Sign-on Settings > Zero Sign-on Authenticate to enable the feature.

Authentication for service providers

The toggle switch "Show users the option to sign-in with Authenticate when they perform Zero Sign-On authentication" is disabled by default. When this option is enabled, this option lets the users sign-in to Authenticate on the desktops.

Even with this option disabled, users can use the other authentication options such as QR code, Push and Password.

Provide a customized description for Sign-in using Zero Sign-on Authenticate. This description helps the users decide to select the "Sign-in using Zero Sign-on Authenticate " when using a desktop browser that is not FIDO registered with Authenticate.

FIDO Key

FIDO keys are used for stronger authentication. During registration with an online service, the user's client device creates a new key pair. The client's private keys can be used only after they are unlocked locally on the device by the user. The user can manage the settings of the FIDO key in Ivanti Access after registering.

Ivanti recommends that the admin does not need to change the settings. However, the admin should discuss before enabling or disabling the settings.

Procedure 

1. In Ivanti Access, go to Profile > Zero Sign-on.
   

2. Click Zero Sign-on Settings> FIDO Key.
   
   

3. Update the following fields to enhance the feature as required:

   • Rotation Period for FIDO Key: Specify the duration required to generate a new FIDO key.

   • Grace period to rotate the FIDO Key before expiry: Specify the grace period to generate a FIDO key if it was not during the Rotation period.

   • FIDO key storage: Specify the Trusted Platform Module version supported to store the FIDO key.

   • Allow storing in iOS keychain: Turn on option iOS user.

   • Allow storing in Windows Certificate Store: Specify if the FIDO key can be stored in Certificate Store.

   • Allow storing in MacOS keychain: Turn on the option for MacOS user.
     

   • Allow storing in Android key store: Turn on the option for Android user.

   • Desktop Password Encryption: Specify the RSA key size for Mobile devices or for desktops.

   • Public Key Algorithms: Select the public key algorithms and specify the order that they must be applied.

   • Authenticate as a FIDO key: Select the option to authenticate with FIDO key on the website. Authenticate is automatically invoked and prompts the user to authenticate with a push notification.

4. Click Add New to add the relying parties that accept FIDO keys to use Authenticate to sign-in.

5. Click Save.

Security Key and Biometrics

The Security Keys and Biometrics lets you enable the feature for end users to see an option to sign in using Security Key & Biometric.

Procedure 

1. In Ivanti Access, go to Profile > Zero Sign-on.
   

2. Click Zero Sign-on Settings> Security Keys and Biometrics.
   
   

3. Enable the toggle switch for Enable sign in via Security Key and Biometric.

4. Click Save.