Authentication Features
•Time-based One-Time Password (ICS Only)
•Certificate Authentication with IKE and ESP
The access management framework supports the following types of AAA servers:
•Local - You can create special purpose local databases to manually create user accounts, or manage access based on digital certificates.
•External (standards-based) - You can integrate standards-based LDAP and RADIUS servers with the access management framework. In addition to using the backend server for authentication, you can use LDAP group and RADIUS attribute information in role-mapping rules.
•External (other) - You can integrate compatible versions of popular third-party AAA servers with the access management framework. In addition to using the backend server for authentication, you can use Active Directory group information in role-mapping rules. In addition, you can use MDM device attributes in role mapping rules.
SAML Support
SAML is an XML-based framework for communicating user authentication, entitlement, and attribute information. The standard defines the XML-based assertions, protocols, bindings, and profiles used in communication between SAML entities. SAML is used primarily to implement Web browser single sign-on (SSO). SAML enables businesses to leverage an identity-based security system like Ivanti Connect Secure to enforce secure access to web sites and other resources without prompting the user with more than one authentication challenge.
When deployed as SAML service provider, Ivanti Connect Secure runs a local SAML server that relies on the SAML identity provider authentication and attribute assertions when users attempt to sign in to Connect Secure. Note that authentication is only part of the Ivanti Connect Secure security system. The access management framework determines access to the system and protected resources.
For configuration details, see Configuring Authentication with the SAML Server.
SAML Single Logout
Single logout is a mechanism provided by SAML for logging out a particular user from all the sessions created by the identity provider.
Select this option if the system must receive and send a single logout request for the peer SAML identity provider. If you use the metadata option, the Single Logout Service URL setting can be completed by selecting the SLO service URL from the list. The list is populated by the identity provider entities defined in metadata files added to the System > Configuration > SAML page. The system sends Single Logout requests to this URL. In addition, if you use the metadata option, the Single Logout Response URL setting is completed based on your selection for Single Logout Service URL.
If the identity provider has left this setting empty in its metadata file, the system sends the Single Logout response to the SLO service URL. If you complete these settings manually, ask the SAML identity provider administrator for guidance. The Single Logout service for the identity provider must present a valid certificate.
For details, see SAML Single Sign-on.
RSA Token Code
RSA Authentication Manager (formerly known as ACE/Server) is an authentication and authorization server that allows user authentication based on credentials from the RSA SecurID® product from RSA Security Inc. When you use RSA Authentication Manager as the authentication and authorization service for your access management framework, users can sign in to Ivanti Connect Secure using the same username and password stored in the backend server.
For configuration details, see Configuring Authentication with RSA Authentication Manager.
Time-based One-Time Password (ICS Only)
Time-based One-Time Password (TOTP) algorithm as defined in RFC6238 is an authentication mechanism where a one-time password (a.k.a token) is generated by the authentication server and client from a shared secret key and the current time. ICS can act as TOTP authentication server. Any third-party TOTP applications (for example, Windows Authenticator or Google Authenticator) available on the mobile and desktop client platforms generate TOTP tokens. The TOTP authentication option is natively available on ICS without any additional products or license requirements. Customers can use TOTP authentication as part of their MFA policy, and strengthen their authentication mechanism for secure access scenarios.
For configuration details, see Configuring Authentication with a TOTP Authentication Server.
Certificate Authentication
The certificate server is a local server that allows user authentication based on the digital certificate presented by the user without any other user credentials.
When you use a certificate server, the user experience is similar to anonymous authentication. If the certificate is secured through a hardware or a software token or through a password, the certificate server authentication is very useful. The certificate contains the full distinguished name (DN) and the system extracts the values from the DN and uses it for role mapping rules, authentication policies, and role restrictions.
The access management framework supports the following certificate server features:
•Certificate directory services to retrieve user attributes in role mapping rules, authentication policies, and role restrictions.
•Load CA-created certificates on the system.
•Load multiple certificates from different CAs for use with different authentication realms.
For configuration details, see Configuring Authentication with the Certificate Server.
Certificate Authentication with IKE and ESP
Certificate authentication in Ivanti Secure Access Client (ISAC) with IKE and ESP typically involves using digital certificates to verify the identity of users and devices when establishing a VPN connection. This method enhances security by replacing or supplementing traditional username/password authentication. ISAC supports certificate-based authentication for both user and machine authentication, often as part of a realm configuration on the Ivanti server. For more information, see Certificate Authentication Support.