SSO with Kerberos configuration field description

The following table provides field descriptions for the single sign-on configuration. There are some variations in field names between Ivanti EPMM and Ivanti Neurons for MDM.

Table 3.   Tunnel configuration field description

Field

Description

Name

Enter a name for this configuration.

Description

Enter additional information that describes this configuration.

User Name

(Required) Enter the Kerberos user name.

Ivanti EPMM: You can also specify the variable $USERID$.

Ivanti Neurons for MDM: You can also specify the variable ${samaccountname}

Realm

(Required)

Ivanti EPMM: The default is $Realm$. This is the only valid variable.

$Realm$ is supported for LDAP users only.

The realm is calculated by extracting the base DN (e.g. DC=auto, DC=MyCompany, DC=com) and converting to a domain. Example: AUTO.MYCOMPANY.COM.

Ivanti Neurons for MDM: Enter a domain name.

Example: AUTO.MYCOMPANY.COM.

Identity Certificate

( Ivanti EPMM)

(Optional) Select a certificate enrollment setting from the drop-down list to specify an identity certificate.

An app uses this identity certificate to authenticate the device user to the KDC server. After the user is authenticated, the KDC server issues a ticket to the user. If the Kerberos ticket has expired, it is silently renewed after the user is authenticated.

If you do not provide an identity certificate, the device user is prompted to enter a user ID and password when the Kerberos ticket has expired.

Certificate
(Ivanti Neurons for MDM)

(Optional) Select the certificate to use.

An app uses this identity certificate to authenticate the device user to the KDC server. After the user is authenticated, the KDC server issues a ticket to the user. If the Kerberos ticket has expired, it is silently renewed after the user is authenticated.

If you do not provide an identity certificate, the device user is prompted to enter a user ID and password when the Kerberos ticket has expired.

URL Prefix Matches (Required)

Add the URLs or resources that the device user can access using SSO. At least one URL is required.

If a bundle ID (application ID) is configured, SSO is enabled for the specified apps only when the apps access the URLs that match the configured URL prefixes. If a bundle ID (application ID) is not configured, SSO is applicable to all apps that support SSO when they access the URLs that match the configured URL prefixes.

+

Click to add an URL.

URL

Enter the URL that the user can access using SSO.

  • The website or resource must support Kerberos based authentication.

  • Entries must begin with the URL scheme: HTTP:// or HTTPS://

  • A simple string match is performed.
    For example, http://www.example.com/ does not match
    http://www.example.com:80/

  • If an entry does not end with the character /, a / is appended to the entry.

  • For devices running iOS 9 through the most recently released version as supported by Ivanti, you can use a single wildcard * to specify all matching values.
    For example, http://*.example.com matches both
    http://store.example.com/ and http://www.example.com/

    However, a wildcard at the end of the URL will not work.

    Example of incorrect url: http://www.example.com/*

  • The entries http://.com and https://.com match all HTTP and HTTPS URLs, respectively.

Description

Enter additional information describing this resource.

-

Click to delete the URL.

Application Identifier Matches (Optional)

Add the apps that the device user can use to access the URLs or resources listed in URL Prefix Matches without having to enter their enterprise credentials.

You can add up to twenty bundle IDs (application IDs) per configuration.

If no apps are entered, the device user can access the URLs or resources from any app without having to enter their enterprise credentials.

+

Click to add an app.

BundleID

Enter an exact or partial bundle ID (application ID) for the app.

Use the following rules for formatting an entry:

  • The string you specify can be an exact match with a bundle ID.

    Example: com.mycompany.myapp

  • Partial matches are supported.

  • The string you specify can match a prefix of a bundle ID by using exactly one * wildcard character. The * appears after a period character, and at the end of the string.

    Example: com.mycompany.* matches any app for which the bundle ID begins with com.mycompany.

Description

Enter additional information describing the app.

_

Click to delete the entry.