Configuring Session Revocation

Session revocation is configured in Ivanti Access.

Before you begin 

  • Verify the following before configuring session revocation:
    • You have an Ivanti Access deployment with a UEM.
    • The Ivanti Access administrator has Common Platform Services (CPS) role in UEM.

      Ivanti Neurons for MDM: For information on assigning roles, see “Assigning Roles to Users” in the Ivanti Neurons for MDM Guide or click Help in the Ivanti Neurons for MDM administrative portal.

      Ivanti EPMM: For information on assigning roles, see the Ivanti EPMM Delegated Administration Guide.

    • Common Platform Services Notifications is enabled in UEM.

      Ivanti Neurons for MDM: Go to Admin > Common Platform Services Notifications, and enable Common Platform Services Notifications.

      Ivanti EPMM: From the Ivanti EPMM command line interface (CLI), enter the following command in CONFIG mode - activemq

    • Session tokens are revoked if the device state is retired or non-compliant as reported by the UEM to Ivanti Access.

      For information about configuring compliance polices, see your UEM documentation.

      Ivanti Neurons for MDM: See “Policies” in the Ivanti Neurons for MDM Guide or click Help in the Ivanti Neurons for MDM administrative portal.

      Ivanti EPMM: See the Ivanti EPMM Device Management Guide.

    • Users are registered LDAP users with custom attribute of userPrincipalName and objectGUID in a  UEM.

      Ivanti Neurons for MDM: See Configuring LDAP in Ivanti Neurons for MDM for session revocation.

      Ivanti EPMM: See Configuring LDAP in Ivanti EPMM for session revocation.

    • Port 8883 in the firewall is open to allow Ivanti Access to pick up queued up events.
  • For Office 365
    • A federated pair with Office 365 and ADFS configured in Ivanti Access
    • An app registration for the Ivanti Access revocation service in Microsoft Azure. This set up provides Access permission to revoke session tokens for Office 365.
      For information about creating an app registration for the Ivanti Access session revocation service, see the knowledge base article
      Configuring an application in Azure for the session revocation service (SRS) for Office 365 (Azure AD). Make a note of the Azure directory ID, application ID, and the secret key.
  • For G Suite
    • A federated pair with G Suite and any appropriate IdP configured in Ivanti Access.
    • Generate a service account key file using Google API console. This set up provides Ivanti Access permission to revoke session tokens from G Suite.
      For more information about creating the service account key file, see the knowledge base article Configuring G Suite for the session revocation service (SRS). Make a note of the G Suite service account key.

Procedure 

  1. In Ivanti Access, go to Profile > Session Revocation.
    The Service Provider Configuration page displays.
  2. In the Service Provider Configuration page, click +Add Configuration.
  3. For service provider, click Office 365 or G Suite appropriately.
  4. Enter the following information.

    Item

    Description

    Name

    Enter a name for the configuration.

    Add Description

    Add a description for the configuration.

    Configuration for Office 365

    Azure Directory ID

    Enter the Azure directory ID.

    Application ID

    Enter the application ID from the app registration you created for the Ivanti Access session revocation service in Azure.

    Secret key

    Enter the Azure secret key from the app registration you created for the Ivanti Access session revocation service in Azure.

    Configuration for G Suite

    G Suite Service Account Key

    Service account key file in JSON format.

    To obtain this file, follow KB article:

    G Suite administrator Email ID

    Enter the Super Admin email ID.

  5. Click Save.