Local user authentication to Enterprise Connector
- Enterprise Connector user authentication overview
- Certificates required for certificate authentication to Enterprise Connector
- Certificate attribute mapping used in certificate authentication to Enterprise Connector
- Using $EDIPI$ in certificate authentication to Enterprise Connector
- Adding local users to Enterprise Connector
- Add New User window in Enterprise Connector
- Configuring password authentication to Enterprise Connector
- Configuring certificate authentication to Enterprise Connector
- Replacing the certificate for authentication in Enterprise Connector
Enterprise Connector user authentication overview
Enterprise Connector administrators are set up as local users in the Enterprise Connector portal in Security > Local Users. They can authenticate to the Enterprise Connector portal using one or both of the following methods:
-
A user name and password - These are the credentials for a local user as set up in the Enterprise Connector portal in Security > Local Users. This authentication method is the default.
-
An identity certificate from a smart card - Using an identity certificate from a smart card is supported only on desktop computers. It is not supported on mobile devices. Also, it is not supported with Firefox.
-
Ivanti recommends to allow HTTPS traffic on port 8443 from the corporate network, limited to Ivanti applications only. This service is intended for EPMM server management and must have strictly controlled access.
You use the Enterprise Connector portal to configure which methods are allowed.
Certificate authentication is also supported in FIPS mode.
Certificates required for certificate authentication to Enterprise Connector
To allow certificate authentication to Enterprise Connector, you upload a PEM-formated file to Connector. The PEM-formatted file contains either:
- The issuing certificate authority (CA) certificate
- The supporting certificate chain
Connector does not check the certificate’s validity. Make sure the certificate that you upload is valid. That is, make sure it is not expired and not revoked.
When users sign in to the Enterprise Connector portal, they provide an identity certificate from a smart card. Connector authenticates the user’s identity certificate against the certificate that you uploaded to Connector.
When you create a local user in Enterprise Connector, set the User ID of the local user to the user identity from the identity certificate.
Certificate attribute mapping used in certificate authentication to Enterprise Connector
When the user presents an identify certificate for authentication to the Enterprise Connector portal, the Connector authenticates the identity certificate against the issuing CA certificate or certificate chain you uploaded to Connector. As part of that authentication, Connector makes sure the user identity in the identity certificate is a valid Connector local user. You configure which field in the identity certificate and which Connector local user field must match.
Therefore, when you upload the certificate used for authenticating user's identity certificate, you also configure the following mapping information:
Values |
Description |
Notes |
---|---|---|
Designate user identity |
Select the user identity field from the identity certificate the authentication. The choices are:
|
Your choice must match the Subject Alternative Name type you chose for generating the identity certificate. For the NT Principal Name, Enterprise Connector uses the User Principal Name in the Subject Alternative Name (SAN) in the identity certificate. |
Select a connector substitution variable |
The variable against which the authentication compares the user identity. Allowed variables are:
|
The $EDIPI$ variable is for the Department of Defense only. Your choice depends on how you chose to populate the Subject Alternative Name in the identity certificate. |
Example
Consider the case in which you specify the NT Principal Name as the field to use from the identity certificate, and you specify $USERID$ or $EMAIL$ as the substitution variable to match. Connector accepts both of the following formats as a match:
- DOMAIN\userid
- userid@domain
That is, the NT Principal Name and the substitution variable can have different formats, as long as the domain and userid match.
- Configuring certificate authentication to Enterprise Connector
- Using $EDIPI$ in certificate authentication to Enterprise Connector
Using $EDIPI$ in certificate authentication to Enterprise Connector
Using the substitution variable $EDIPI$ is applicable only to Department of Defense customers. You enter it when adding an Enterprise Connector local user. This variable contains the Department of Defense identification number, also known as the Electronic Data Interchange Personal Identifier.
Procedure
If you are a Department of Defense customer setting up authentication to Enterprise Connector using a certificate on a Common Access Card (CAC), then you must:
-
Enter a value into the EDIPI field when you create a Connector local user.
Make sure the format of the field matches the format of the EDIPI value in the NT Principal Name in the user's identity certificate.
-
Use the $EDIPI$ variable as the attribute against which the authentication compares the user identity.
Although using $EDIPI$ is required for CAC cards, Connector does not enforce the selection when you configure portal authentication. Connector also does not ensure that you have entered a value into the EDIPI field of the Connector local user.
Adding local users to Enterprise Connector
Only local users created in the Enterprise Connector portal can access the portal. To add a local user to the Enterprise Connector database:
Procedure
- Log in to the Connector (https://<fully-qualified_domain_name:8443>/mics)
- Go to Security > Identity Source > Local Users.
- Click the Add button to open the Add New User window.
-
Modify the fields, as necessary.
Refer to Add New User window in Enterprise Connector table for details.
- Click Apply > OK.
Add New User window in Enterprise Connector
The following table summarizes fields and descriptions in the Add New Users window:
Fields |
Description |
User ID |
Enter the unique identifier to assign to this user. The user ID is case sensitive. |
First Name |
Enter the user’s first name. |
Last Name |
Enter the user’s last name. |
Password |
Enter a password for the user. Valid passwords are determined by the password policy for Enterprise Connector local users at Security > Identity Source > Password Policy. |
Confirm Password |
Confirm the password for the user. |
Space |
This field is not configurable. It is set to the global space. |
|
Enter the user’s email address. |
EDIPI |
Department of Defense customers only: Enter the user's the Department of Defense identification number, also known as the Electronic Data Interchange Personal Identifier. This field is required if your configuration on Security > Advanced > Portal Authentication specifies certificate authentication for access to the System Manager using a common access card (CAC). |
Configuring password authentication to Enterprise Connector
You can configure Enterprise Connector to allow administrators to authenticate to Connector with their user name and password.
This authentication method is the default setting.
Procedure
- Log in to the Connector (https://<fully-qualified_domain_name:8443>/mics)
- Go to Security > Advanced > Portal Authentication.
- Select Password Authentication.
- Under Password Authentication, select System Manager.
- Click Apply > OK.
Adding local users to Enterprise Connector
Configuring certificate authentication to Enterprise Connector
You can allow administrators to authenticate to the Enterprise Connector portal with the identity certificate on a smart card.
Before you begin
Have the PEM-formatted issuing CA certificate or certificate chain available to upload to Connector.
Procedure
- Log in to the Connector (https://<fully-qualified_domain_name:8443>/mics)
- Go to Security > Advanced > Portal Authentication.
- Select Certificate Authentication.
- Under Certificate Authentication, select System Manager.
- Select PIV or CAC, depending on whether the identity certificate to authenticate is on a personal identity verification (PIV) card or common access card (CAC).
- Click Upload Issuing CA Certificate. to open the Upload Issuing CA Certificate window.
- Click Choose File, and select the PEM-formatted file that contains either the issuing CA certificate or the supporting certificate chain.
- Click Upload Certificate > OK.
-
In Select Certificate Attribute Mapping:
- In the Map from attribute dropdown, select the user identity type in the identity certificate to use for authenticating the user.
- In the Map to attribute dropdown, select the substitution variable with which to compare the user identity. If you selected CAC when choosing CAC versus PIV, you must select $EDIPI$.
- Click Apply > OK.
- Certificates required for certificate authentication to Enterprise Connector
- Certificate attribute mapping used in certificate authentication to Enterprise Connector
- Using $EDIPI$ in certificate authentication to Enterprise Connector
Replacing the certificate for authentication in Enterprise Connector
After you have uploaded a PEM-formated file to the Enterprise Connector, you can replace it when necessary. For example, if the existing issuing CA certificate is about to expire, upload a replacement.
Procedure
- Log in to the Connector (https://<fully-qualified_domain_name:8443>/mics)
- Go to Security > Advanced > Portal Authentication.
- Click Replace CA Certificate.
- Click Choose File, and select the PEM-formatted file that contains either the replacement issuing CA certificate or the supporting certificate chain.
- Click Upload Certificate > OK.
- Click Save > OK.
Certificates required for certificate authentication to Enterprise Connector