Overview
Supported Features
Ivanti Connect Secure supports the following features with OAuth:
•Only Signed and Signed plus encrypted Tokens are Supported
•Act as Relaying Party (RP) solely
•Talk to any standard OP (OAuth Provider) for Authentication
•“User Name Template” option for username mapping
•“User Attributes” based role mapping
•Multiple Host FQDNs to talk to same the OP with different Client IDs
•MFA authentication at OP
•MFA at ICS
•Check for time skew as per configured values
•Clusters (A/A or A/P)
•XML and binary based export/import of OAuth Server configs
•Configuring and doing CRUD operations using REST APIs for OAuth Servers configs
Limitations
•Act as OAuth Provider (OP) for Authentication.
•SLO (Single Logout) to trigger log out from the respective OP and kill ICS sessions only.
•ICS will not support configuring OAuth Servers as Secondary Auth Server for any User Realms, it can be ONLY configured as the Primary Auth server.
•If configured to work with an OAuth Provider that uses encrypted ID Token, a device certificate with RSA key type must be configured on ICS, and must be shared with the OAuth Provider while configuring the settings on the provider end.
Configuring the OAuth Server to work with ICS
Configuring the OAuth Server process involves the following steps:
3.Configuration on the OAuth Provider (OP)
Prerequisites
Ensure that with the required configurations on the OAuth Provider (OP), you collect the following parameters that are required to create and configure the OAuth Server on ICS:
•Client ID
•Client Secret
•Host FQDN
•Configuration file in JSON format
Refer Configuration on the OAuth Provider (OP) for configuration procedures that help to collect the required parameters.