Local user authentication to Enterprise Connector

Enterprise Connector user authentication overview

Enterprise Connector administrators are set up as local users in the Enterprise Connector portal in Security > Local Users. They can authenticate to the Enterprise Connector portal using one or both of the following methods:

  • A user name and password - These are the credentials for a local user as set up in the Enterprise Connector portal in Security > Local Users. This authentication method is the default.

  • An identity certificate from a smart card - Using an identity certificate from a smart card is supported only on desktop computers. It is not supported on mobile devices. Also, it is not supported with Firefox.

  • Ivanti recommends to allow HTTPS traffic on port 8443 from the corporate network, limited to Ivanti applications only. This service is intended for EPMM server management and must have strictly controlled access.

You use the Enterprise Connector portal to configure which methods are allowed.

Certificate authentication is also supported in FIPS mode.

Certificates required for certificate authentication to Enterprise Connector

To allow certificate authentication to Enterprise Connector, you upload a PEM-formated file to Connector. The PEM-formatted file contains either:

  • The issuing certificate authority (CA) certificate
  • The supporting certificate chain

Connector does not check the certificate’s validity. Make sure the certificate that you upload is valid. That is, make sure it is not expired and not revoked.

When users sign in to the Enterprise Connector portal, they provide an identity certificate from a smart card. Connector authenticates the user’s identity certificate against the certificate that you uploaded to Connector.

When you create a local user in Enterprise Connector, set the User ID of the local user to the user identity from the identity certificate.

Certificate attribute mapping used in certificate authentication to Enterprise Connector

When the user presents an identify certificate for authentication to the Enterprise Connector portal, the Connector authenticates the identity certificate against the issuing CA certificate or certificate chain you uploaded to Connector. As part of that authentication, Connector makes sure the user identity in the identity certificate is a valid Connector local user. You configure which field in the identity certificate and which Connector local user field must match.

Therefore, when you upload the certificate used for authenticating user's identity certificate, you also configure the following mapping information:

Table 29.  Mapping information used in certificate authentication

Values

Description

Notes

Designate user identity

Select the user identity field from the identity certificate the authentication.  The choices are:

  • the NT Principal Name
  • the RFC822 email name

Your choice must match the Subject Alternative Name type you chose for generating the identity certificate.

For the NT Principal Name, Enterprise Connector uses the User Principal Name in the Subject Alternative Name (SAN) in the identity certificate.

Select a connector substitution variable

The variable against which the authentication compares the user identity. Allowed variables are:

  • $USERID$ - User ID
  • $EMAIL$ - Email
  • $EDIPI$ - EDIPI values entered when configuring the Connector local user.

The $EDIPI$ variable is for the Department of Defense only.
See Using $EDIPI$ in certificate authentication to Enterprise Connector.

Your choice depends on how you chose to populate the Subject Alternative Name in the identity certificate.

Example  

Consider the case in which you specify the NT Principal Name as the field to use from the identity certificate, and you specify $USERID$ or $EMAIL$ as the substitution variable to match. Connector accepts both of the following formats as a match:

  • DOMAIN\userid
  • userid@domain

That is, the NT Principal Name and the substitution variable can have different formats, as long as the domain and userid match.

Using $EDIPI$ in certificate authentication to Enterprise Connector

Using the substitution variable $EDIPI$ is applicable only to Department of Defense customers. You enter it when adding an Enterprise Connector local user. This variable contains the Department of Defense identification number, also known as the Electronic Data Interchange Personal Identifier.

Procedure 

If you are a Department of Defense customer setting up authentication to Enterprise Connector using a certificate on a Common Access Card (CAC), then you must:

  1. Enter a value into the EDIPI field when you create a Connector local user.

    Make sure the format of the field matches the format of the EDIPI value in the NT Principal Name in the user's identity certificate.

  2. Use the $EDIPI$ variable as the attribute against which the authentication compares the user identity.

    Although using $EDIPI$ is required for CAC cards, Connector does not enforce the selection when you configure portal authentication. Connector also does not ensure that you have entered a value into the EDIPI field of the Connector local user.

Adding local users to Enterprise Connector

Only local users created in the Enterprise Connector portal can access the portal. To add a local user to the Enterprise Connector database:

Procedure 

  1. Log in to the Connector (https://<fully-qualified_domain_name:8443>/mics)
  2. Go to Security > Identity Source > Local Users.
  3. Click the Add button to open the Add New User window.
  4. Modify the fields, as necessary.

    Refer to Add New User window in Enterprise Connector table for details.

  5. Click Apply > OK.

Add New User window in Enterprise Connector

The following table summarizes fields and descriptions in the Add New Users window:

Table 30.   Add New User Fields

Fields

Description

User ID

Enter the unique identifier to assign to this user. The user ID is case sensitive.

First Name

Enter the user’s first name.

Last Name

Enter the user’s last name.

Password

Enter a password for the user.

Valid passwords are determined by the password policy for Enterprise Connector local users at Security > Identity Source > Password Policy.

Confirm Password

Confirm the password for the user.

Space

This field is not configurable. It is set to the global space.

Email

Enter the user’s email address.

EDIPI

Department of Defense customers only:

Enter the user's the Department of Defense identification number, also known as the Electronic Data Interchange Personal Identifier.

This field is required if your configuration on Security > Advanced > Portal Authentication specifies certificate authentication for access to the System Manager using a common access card (CAC).

Configuring password authentication to Enterprise Connector

You can configure Enterprise Connector to allow administrators to authenticate to Connector with their user name and password.

This authentication method is the default setting.

Procedure 

  1. Log in to the Connector (https://<fully-qualified_domain_name:8443>/mics)
  2. Go to Security > Advanced > Portal Authentication.
  3. Select Password Authentication.
  4. Under Password Authentication, select System Manager.
  5. Click Apply > OK.

Adding local users to Enterprise Connector

Configuring certificate authentication to Enterprise Connector

You can allow administrators to authenticate to the Enterprise Connector portal with the identity certificate on a smart card.

Before you begin 

Have the PEM-formatted issuing CA certificate or certificate chain available to upload to Connector.

Procedure 

  1. Log in to the Connector (https://<fully-qualified_domain_name:8443>/mics)
  2. Go to Security > Advanced > Portal Authentication.
  3. Select Certificate Authentication.
  4. Under Certificate Authentication, select System Manager.
  5. Select PIV or CAC, depending on whether the identity certificate to authenticate is on a personal identity verification (PIV) card or common access card (CAC).
  6. Click Upload Issuing CA Certificate. to open the Upload Issuing CA Certificate window.
  7. Click Choose File, and select the PEM-formatted file that contains either the issuing CA certificate or the supporting certificate chain.
  8. Click Upload Certificate > OK.
  9. In Select Certificate Attribute Mapping:

    1. In the Map from attribute dropdown, select the user identity type in the identity certificate to use for authenticating the user.
    2. In the Map to attribute dropdown, select the substitution variable with which to compare the user identity. If you selected CAC when choosing CAC versus PIV, you must select $EDIPI$.
  10. Click Apply > OK.

Replacing the certificate for authentication in Enterprise Connector

After you have uploaded a PEM-formated file to the Enterprise Connector, you can replace it when necessary. For example, if the existing issuing CA certificate is about to expire, upload a replacement.

Procedure 

  1. Log in to the Connector (https://<fully-qualified_domain_name:8443>/mics)
  2. Go to Security > Advanced > Portal Authentication.
  3. Click Replace CA Certificate.
  4. Click Choose File, and select the PEM-formatted file that contains either the replacement issuing CA certificate or the supporting certificate chain.
  5. Click Upload Certificate > OK.
  6. Click Save > OK.

Certificates required for certificate authentication to Enterprise Connector