Authentication Features
•Time-based One-Time Password (ICS Only)
•Certificate Authentication with IKE and ESP
•Secondary Authentication (not to IPS)
•Bio-metric Authentication (Touch-ID / Face ID)
AAA stands for authentication, authorization, and accounting. An AAA server is a database that stores user credentials - username and password - and, in some cases, group information or other user attributes. The authentication results and the group or user attribute information is used by the access management framework for policy decisions.
The access management framework supports the following types of AAA servers:
•Local - You can create special purpose local databases to manually create user accounts, permit anonymous access, or manage access based on digital certificates.
•External (standards-based) - You can integrate standards-based LDAP and RADIUS servers with the access management framework. In addition to using the backend server for authentication, you can use LDAP group and RADIUS attribute information in role-mapping rules.
•External (other) - You can integrate compatible versions of popular third-party AAA servers with the access management framework. In addition to using the backend server for authentication, you can use Active Directory group information in role-mapping rules. In addition, you can use MDM device attributes in role mapping rules.
SAML Support
SAML is an XML-based framework for communicating user authentication, entitlement, and attribute information. The standard defines the XML-based assertions, protocols, bindings, and profiles used in communication between SAML entities. SAML is used primarily to implement Web browser single sign-on (SSO). SAML enables businesses to leverage an identity-based security system like Ivanti Connect Secure to enforce secure access to web sites and other resources without prompting the user with more than one authentication challenge.
When deployed as SAML service provider, Ivanti Connect Secure runs a local SAML server that relies on the SAML identity provider authentication and attribute assertions when users attempt to sign in to Connect Secure. Note that authentication is only part of the Ivanti Connect Secure security system. The access management framework determines access to the system and protected resources.
For configuration details, see Configuring Authentication with the SAML Server.
SAML Single Logout
Single logout is a mechanism provided by SAML for logging out a particular user from all the sessions created by the identity provider.
For details, see SAML Single Sign-on.
Smart Card
RSA Token Code
RSA Authentication Manager (formerly known as ACE/Server) is an authentication and authorization server that allows user authentication based on credentials from the RSA SecurID® product from RSA Security Inc. When you use RSA Authentication Manager as the authentication and authorization service for your access management framework, users can sign in to Ivanti Connect Secure using the same username and password stored in the backend server.
For configuration details, see Configuring Authentication with RSA Authentication Manager.
Time-based One-Time Password (ICS Only)
Time-based One-Time Password (TOTP) algorithm as defined in RFC6238 is an authentication mechanism where a one-time password (a.k.a token) is generated by the authentication server and client from a shared secret key and the current time. ICS can act as TOTP authentication server. Any third-party TOTP applications (for example, Windows Authenticator or Google Authenticator) available on the mobile and desktop client platforms generate TOTP tokens. The TOTP authentication option is natively available on ICS without any additional products or license requirements. Customers can use TOTP authentication as part of their MFA policy, and strengthen their authentication mechanism for secure access scenarios.
For configuration details, see Configuring Authentication with a TOTP Authentication Server.
Certificate Authentication
The certificate server is a local server that allows user authentication based on the digital certificate presented by the user without any other user credentials.
When you use a certificate server, the user experience is similar to anonymous authentication. If the certificate is secured through a hardware or a software token or through a password, the certificate server authentication is very useful. The certificate contains the full distinguished name (DN) and the system extracts the values from the DN and uses it for role mapping rules, authentication policies, and role restrictions.
The access management framework supports the following certificate server features:
•Certificate directory services to retrieve user attributes in role mapping rules, authentication policies, and role restrictions.
•Load CA-created certificates on the system.
•Load multiple certificates from different CAs for use with different authentication realms.
For configuration details, see Configuring Authentication with the Certificate Server.
Certificate Authentication with IKE and ESP
Secondary Authentication (not to IPS)
Ivanti Secure Access Client supports only one case of dual-factor authentication, in which the client certificate is the primary, while the local authorization is the secondary. From 22.5R2.1/22.6R2 release, SAML Authentication server will appear in Additional Authentication Server dropdown only in case Primary Auth server is Cert Authentication.
For configuration details, see Creating an Authentication Realm.
Bio-metric Authentication (Touch-ID / Face ID)