About multi-factor authentication with UEM client

All approval notifications are sent to the primary device. Users also have the option to generate one-time passcode (OTP).

Required components for multi-factor authentication with UEM client

Deploying multi-factor authentication with Ivanti Access requires that the following components are set up:

  • Ivanti Access deployment.
  • UEM client.

See the Ivanti Access Release Notes for supported versions.

Use cases for multi-factor authentication

  • Two-factor authentication to enterprise cloud services with push notification. Users accessing an enterprise cloud service confirm their identity by:
    • Providing their user credentials, typically the name and password, to the identity provider.
    • Accepting the push notification on their managed device.
  • Two-factor authentication to enterprise cloud services with one-time passcode (OTP). Users accessing an enterprise cloud service confirm their identity by:
    • Providing their user credentials, typically the name and password, to the identity provider.
    • Generating a one-time passcode (OTP) using their UEM client, and entering the OTP in addition to their user credentials.
  • In addition, administrators can configure conditional rules to define when multi-factor authentication is triggered.
    Example: Create a User Info Rule to trigger multi-factor authentication for only a certain set of users or groups, a Network Rule to trigger multi-factor authentication if the user is outside the enterprise IP range.

One-time passcode (OTP)

Device users have the option of generating a one-time passcode (OTP) in the UEM client, which they can use instead of using push notification. OTP provides users another option to control access to enterprise cloud services from another managed device. It also provides an option to control access to enterprise cloud services even when the client does not have access to the Internet.

The OTP for multi-factor authentication is displayed when the UEM client is launched.

Multi-factor authentication flow

The following describes the authentication flow with multi-factor authentication.

Figure 1. Multi-factor authentication flow



1. User requests access to a cloud service.
2. The cloud service redirects user to the configured identity provider (IdP)to authenticate. Since Ivanti Access is the configured IdP, the request is redirected to Ivanti Access.
3. Ivanti Access redirects the request to the original IdP.
4. The original IdP challenges the user for a user name and password.
5. The user enters the user name and password and posts to the IdP.
6. Ivanti Access obtains the user identity from the SAML response, and sends a push notification to the managed device registered to receive authentication push notifications for that user.

If one-time passcode (OTP) is enabled, users have the option to generate an OTP in the UEM client. See One-time passcode workflow

7. The user receives the push notification and launches the UEM client to respond. If the user approves the transaction, the UEM client authenticates to Ivanti Access.
8. If Ivanti Access verifies the user identity received from the UEM client to be the same as the user identity received in the SAML response, Ivanti Access generates a new SAML response to redirect to the original SP
9. The original SP obtains the user identity from the SAML response and presents the personalized screen to the user.

One-time passcode workflow

Device users can generate a one-time passcode (OTP) in the UEM client. A progress value indicates for how long the OTP is valid.

The following describes the OTP workflow when users access a cloud service provider (SP) from a browser or an unmanaged app or device:

  1. Users are redirected to an interaction page to enter their credentials. They have the option to click on the Enter one-time password link to enter the OTP obtained from the UEM client.
  2. Ivanti Access validates the passcode entered by the user against the passcode generated by the UEM client. A match completes the second-factor authentication of the user.
  3. Ivanti Access verifies and retrieves the user identity from the activated device and generates a new SAML response to redirect to the original SP.
  4. The original SP obtains the user identity from the SAML response and presents the personalized screen to the user.