ICS Gateway Administration¶
Introduction¶
After you have logged into the nSA for the first time, you can create authentication methods and apply them to the authentication policies you define in your nSA deployment. You then apply an authentication policy, together with admin rules, to a admin group. A admin group forms part of a Secure Access Policy.
To view admin authentication methods currently defined on the nSA, see Viewing Admin Authentication Methods. To view user authentication policies, see Viewing Admin Authentication Policies.
This chapter includes workflows for configuring admin authentication according to each supported authentication type. nSA supports the following types:
Local authentication: An authentication system that is internal to the nSA. You must create all users manually on the nSA, and update any required authentication policies. see Workflow: Creating a Local Authentication Policy.
Azure AD SAML authentication: An existing remote SAML authentication system based on an Azure AD server. See Workflow: Creating a SAML Authentication Policy With Azure AD and SAML(Custom).
SMAL Custom: An customized remote SAML authentication system based on an on-premises ICS server. See Workflow: Creating a SAML Authentication Policy With Azure AD and SAML(Custom).
After you have created the required authentication method and updated your admin authentication policies, you create admin rules and admin groups, see Creating Admin Rules and Admin Groups.
Optionally, you can associate each admin group with an admin role, see Associating Admin Groups with Admin Roles.
Viewing Admin Authentication Methods¶
To view the admin authentication methods defined on the nSA, click the Administration icon in the nSA menu, then select Admin Management > Admin Authentication.
The Admin Authentication page appears, showing all admin authentication methods:
FIGURE 430 Admin Authentication Methods¶
From this page, you can:
Add a new authentication method by clicking Add.
Edit an existing authentication method by selecting its check box and clicking Edit. Make any required updates and save the changes.
Delete an unused authentication method by selecting its check box and clicking Delete. You must confirm the deletion.
View the configured attributes for a SAML authentication method, where that method is configured for use with an authentication policy. To do this, click the arrow indicator to the left of the method name, where shown.
Viewing Admin Authentication Policies¶
To view the user authentication policies defined on the nSA, click the Administration icon in the nSA menu, then select Admin Management > Admin Policies.
The Admin Policies page appears, showing all user authentication policies.
FIGURE 431 Admin Authentication Policies¶
nSA provides default/built-in authentication policies, suitable for the primary use-cases of administrative sign-in, user enrollment, and user sign-in:
Admin SignIn. This policy is used whenever admin users log in. That is, for connection requests to the */login/admin/ URL. It is referenced by the ALLADMINUSERS user rule, which associates it with the ADMINISTRATORS user rule group.
This policies is fixed and cannot be deleted. However, you can edit to reference a specific authentication method.
Furthermore, you can create additional custom authentication policies to enable bespoke authentication for specific groups of users or parts of your organization. Each policy should contain a unique access URL to which your users connect, and each should then be configured to link to an authentication method applicable for that purpose.
To learn more about how admin authentication policies are used in a nSA service.
From this page, you can:
(For SAML authentication) Download policy metadata files that are required for external SAML enrollment or sign-in apps. To do this, select the check box for the required policy and click Download. Save the file to your local workstation.
View the configured attributes for a SAML-authenticated policy, where that policy is configured with a valid SAML authentication method. To do this, click the arrow indicator to the left of the policy name, where shown.
Add an authentication policy by clicking Add.
Edit an existing authentication policy by selecting its check box and clicking Edit. Make any required updates and save the changes.
Delete an unused authentication policy by selecting its check box and clicking Delete. You must confirm the deletion.
Creating Admin Rules and Admin Groups¶
After your authentication method is established and associated with an authentication policy, you can set up any required admin rules and admin groups. A admin rule identifies one or more admin users based on a test against a selected attribute present in a admin credential or profile, checked against either a local authentication record or from a SAML authentication service. For information about creating admin rules, see Creating Admin Rules.
FIGURE 432 Performing authentication through a Admin Group¶
You associate one or more user rules with an authentication policy to form a user group (see Creating Admin Groups). Users requesting authorization for a service controlled by a Secure Access Policy must pass all the rules contained in the admin Group attached to the policy.
A admin group is required when defining a secure access policy. The admin group identifies the users and the authentication policy to which a secure access policy applies.
Optionally, you can associate each user group with an admin role, see Associating Admin Groups with Admin Roles.
Creating Admin Rules¶
Through admin rules, an admin can construct a test to provide authorization to only those users of a particular name, role, group, or some other stored attribute. In the rule configuration, you select the admin attribute on which you want a test to be performed.
nSA includes the following default admin rule:
ALLADMINUSERS. This matches all admin users, and is referenced by the default ADMINISTRATORS admin group, which associates it with the built-in Admin Signin authentication policy.
Note
To read more about default admin groups, see Creating Admin Groups. To read more about built-in authentication policies, see Viewing Admin Authentication Policies.
This preset configuration of rules, groups, and policies is suitable for typical use cases involving whole-organization authorization needs. In other words, where you require only a single admin user authorization path that matches all users. For scenarios where you require more specific admin user authorization checks, you can create additional rules to match specific types of users.
When you create a rule, you select the admin attribute with which you want this rule to test. nSA provides the following rule attribute types:
username: For local authentication methods, choose this attribute type to match against locally-defined user names.
SAML (Azure AD): For SAML authentication methods, choose this attribute type to match against user names or groups provided by the SAML service.
Custom: For SAML authentication methods, choose this attribute type to match against a custom SAML attribute expression.
To create a admin rule:
From the nSA menu, click the Administration icon, then select Admin Management > Admin Rules.
The Admin Rules page appears. This page lists all admin rules.
Click Add.
The Add Admin Rule form appears.
FIGURE 433 Add Admin Rules¶
Enter a Rule Name.
Click Select Attribute Type and select one of the available options:
Username: Matches user names in a local authentication method. When you select this option, you must then:
Select an Expression type, either Matching or Not Matching.
For the Admin value, enter a match expression for the selected Expression type. For the value:
A comma-separated list of items is supported where required.
Wildcard matches are supported.
Special characters are supported.
Single and double quotes are not supported.
Note
Ivanti recommends that a basic asterisk wildcard is not used when you intend to associate admin roles with user groups. Instead, a more-specific wildcard that only includes admin users is required in this case to prevent all users having total access rights.
SAML (Azure AD): Matches user names or groups in a SAML authentication method. When you select this option, you must then:
Select a SAML Attribute Type, either Username or Group.
For Attribute Value, enter a match expression for the selected SAML Attribute Type as a SAML expression.
Custom. Matches against a custom SAML attribute expression. When you select this option, use the Type or Create an Expression property to enter an attribute expression. Supported formats include:
For simple user attribute key-value matching, use the syntax
userAttr.<attr-key> [=|!=] <attr-value>. For example:- userAttr.memberOf = "CN=sales,DC=example,DC=com" - userAttr.mail = "[email protected]" - userAttr.realm = "Users" - userAttr.department != "example_department"
To match against attributes that can have multiple values associated with a single attribute key, use the syntax
samlMultiValAttr.<attr-key> [=|!=] (<list>). For example:- samlMultiValAttr.memberOf = ("CN=Employee,CN=Users,DC=example_demo,DC=com") - samlMultiValAttr.memberOf = ("CN=Users,DC=example_demo,DC=com")
Use brackets and AND/OR operators to construct logical compound expressions:
- userAttr.groups = ("Group1" or "Group2") - userAttr.realm = ("ztaqa") and samlMultiValAttr.memberOf = ("CN=sales,DC=uisdp,DC=com") - userAttr.realm = ("ztaqa") or samlMultiValAttr.memberOf = ("CN=sales,DC=uisdp,DC=com") - userAttr.realm != ("ztaqa") and samlMultiValAttr.memberOf = ("CN=sales,DC=uisdp,DC=com")
Click Create.
The new admin rule is added to the list of admin rules.
Repeat steps 3-6 for each required user rule.
(Optional) Edit an existing admin rule by selecting its check box and clicking Edit. Make any required updates and save the changes.
(Optional) Delete an unused admin rule by selecting its check box and clicking Delete. You must confirm the deletion.
After you have created all required admin rules, you can create admin groups, see Creating Admin Groups.
Creating Admin Groups¶
After you have created admin rules (see Creating Admin Rules), you associate one or more admin rules with an authentication policy to form a Admin group.
Note
Admin groups are one of the four dimensions of a Secure Access Policy.
nSA includes the following default user group:
ADMINISTRATORS. This admin group associates the default ALLADMINUSERS admin rule with the built-in Admin Signin authentication policy.
Note
To read more about built-in authentication policies, see Viewing Admin Authentication Policies.
This preset configuration of rules, groups, and policies is suitable for typical use cases involving whole-organization authorization needs. In other words, where you require only a single admin user authorization path that matches all users. For scenarios where you require more specific admin user authorization checks, you can create additional admin groups to make different associations of admin rules and custom authentication policies.
To create a admin group:
From the nSA menu, click the Administration icon, then select Admin Management > Admin Groups.
The Admin Groups page appears. This page lists all admin rule groups.
Click Add.
A form appears to enable you to create the admin group.
FIGURE 434 Add Admin Groups¶
Enter a Admin Group Name.
Click Select an Authentication Policy and select the required authentication policy.
Add a Description for the admin group.
Select each of the listed Admin Rules that are required in the user group.
Click Create.
The new admin group appears in the admin Groups list.
Repeat steps 2-7 to create all required user groups.
(Optional) To edit a listed admin group, click its Edit control and make any required updates.
(Optional) To delete an unused admin group, click its Delete control and confirm the deletion.
After you have created admin groups, you can optionally assign the admin group to an admin role, see Associating Admin Groups with Admin Roles.
Associating Admin Groups with Admin Roles¶
An admin role defines the elements of the admin interface that an associated admin user group can access.
The current admin can only access an individual admin interface page/workflow if their admin group is associated with an admin role that permits it. The tasks they can perform within that displayed element depends on the permissions set within the admin role.
Note
When you are using admin roles, Ivanti recommends that any admin rules for administrators does not use a basic asterisk wildcard, see Creating Admin Rules. Instead, a more-specific wildcard that only includes admin users is required in this case to prevent all users having total access rights.
Note
Admin roles are not created by the tenant admin using the nSA user interface. Rather, they are set up by the Ivanti DevOps team.
For example, the DevOps team might define the following admin roles:
The .Administrators admin role has access to all user interface elements (full read, create, update, delete rights).
The .Read-Only Administrators admin role has access to all user interface elements except workflows (read only).
The .Network Administrators admin role has access to Gateways and Insights (read only).
The .CxOs admin role has access to Insights only (read only).
Note
For more information about your assigned admin roles, please contact Ivanti DevOps.
The Admin can view admin roles in the Administration > Admin Roles page, and associate each role with a single user group.
To associate a user group with an admin role:
Log into the nSA as a Tenant Admin.
From the nSA menu, click the Administration icon, then select Admin Roles.
A list of Admin Roles appears. For example:
FIGURE 435 Admin Roles¶
Click the Edit icon for the admin role you want to update.
A dialog appears. For example:
FIGURE 436 Edit Admin Roles¶
Under Choose group, select the user group that you want the admin group to be associated with.
Click Save Changes.
(Optional) Repeat steps 3 to 5 for each admin role.
Workflow: Creating a Local Authentication Policy¶
This process involves creating a local authentication method and defining within it all user credentials necessary to identify and authenticate your end-users. Before you begin, make sure you have all user details (name and password) ready.
Note
nSA includes built-in default authentication policies, each of which references a built-in local authentication method.
To configure a new local authentication method:
Log into the nSA as a Tenant Admin
From the nSA menu, click the Administration icon, then select Admin Management > Admin Authentication.
The Admin Authentication page appears. This page lists all existing admin authentication methods. For example:
FIGURE 437 Admin Authentication Methods¶
Click Add.
A form appears that enables you to define the authentication method.
FIGURE 438 Adding a new local user authentication method¶
Note
At any point during this process, you can reset the form data by clicking Reset. You can also view existing authentication methods in a pop-up dialog by clicking View Auth Methods.
Under Choose name and type:
Enter an Authentication Server Name.
Select the Authorization Type of Local.
The form expands to show additional local authentication settings:
FIGURE 439 Adding local users to a new authentication method¶
Enter the following settings:
Enter User Name, Full Name, and Email for the user.
Enter Password and Confirm Password for the user.
(Optional) Select the Temporary Password check box if you want the user to change their password when they first log in.
Click Add To Users List.
The user is added to the list of users.
Repeat the previous step for each required user.
Click Add Admin Authentication.
The new local user authentication method is added to the list of methods and the process is complete.
(Optional) To edit a listed authentication method, select its check box and click Edit. Make any required updates and confirm.
(Optional) To delete one (or more) unused authentication methods, select the check box for each, and click Delete. You must confirm the deletion.
After you have created your local authentication method, create or update your authentication policy with the new authentication method. In most cases, you need a minimum of one policy:
admin sign-in
Note
nSA allows for the definition of custom policies to facilitate separate authentication endpoints for specific groups of users. To learn more, see Viewing Admin Authentication Policies.
Repeat the following steps for each policy, starting with enrollment:
From the nSA menu, click the Administration icon, then select Admin Management > Admin Policies.
The Admin Policies page appears. This page lists all existing user authentication policies.
FIGURE 440 Admin Authentication Policies¶
To learn more about the policies on this page, see Viewing Admin Authentication Policies.
From this page, either create a new custom policy or edit an existing policy.
To add a new custom policy, click Add.
The Add Authentication Policy form appears.
FIGURE 441 Add Admin Authentication¶
Note
At any point during this process, you can reset the form data by clicking Reset. You can also view existing authentication policies in a pop-up dialog by clicking View Auth Policies.
Enter a Policy Name.
Enter a Login URL using the format */login/<path>/.
The URL must start with “*/login/” and cannot contain any special characters. <path> should be set to a unique value reflecting the endpoint URL you want to define for this authentication policy (appended with a backslash):
In the case of admin sign-in policies, this is the URL endpoint (appended to the tenant FQDN) to which new users are invited to connect to enroll or sign-in a device with the nSA. Example value: “*/login/admin/”.
(Optional) Enter a description for the authentication policy.
Select a User Type based on the intended authentication activity for this policy. Choose from:
Administrators: Select this option to define the authentication endpoint for administrator-level sign-in. This endpoint is used for administrator login to the nSA only.
Under Policy Server Details, click Primary Auth Server, and select the required authentication method for the policy from the drop-down list:
FIGURE 442 Selecting an authentication method for this policy¶
Alternatively, select Add New Server and create a new authentication method as per the steps described earlier in this section.
Click Add Policy to create the new policy.
The new policy is added to the list of authentication policies.
If you instead elect to update an existing custom or built-in policy:
Select the checkbox adjacent to the relevant policy and click Edit.
The Edit authentication policy form appears.
Note
For built-in authentication policies, all properties except Primary Auth Server are read-only.
Set the Primary Auth Server to be the new local user authentication method (indicated):
FIGURE 443 Editing the primary auth server¶
Click Update Policy.
The list of authentication policies updates.
Repeat until all required authentication policies are updated.
To ensure that your admin can access the authentication mechanism defined in the policies you configure through this process, make sure your Secure Access Policies are configured with a Admin Group in which these authentication policies are defined.
Workflow: Creating a SAML Authentication Policy With Azure AD and SAML(Custom)¶
Note
You can use the same work flow for creating SAML (Custom) as well.
nSA supports the use of a cloud-based Active Directory (AD) SAML service to provide authentication for your users.
If you choose to use AD as a SAML Identity Provider (IdP), you do not create any users locally on the nSA. All users will already be present in your remote SAML service.
Configuring nSA to use SAML authentication requires you to create separate SAML apps on the Azure AD platform for the following primary activities:
Admin sign-in
The nSA includes built-in default authentication policies for each of these purposes, and also includes the ability to create your own custom policies for separate authentication of specific admin groups. You create an authentication method referencing one of the Azure AD SAML apps described above and then assign the method to an authentication policy of the same type (either the built-in policy, or one you create). Begin with enrollment, and then repeat the process for user sign-in.
Log into the nSA as a Tenant Admin.
From the nSA menu, click the Administration icon, then select Admin Management > Admin Authentication.
The Admin Authentication page appears. This page lists all existing user authentication methods:
FIGURE 444 Admin Authentication Methods¶
Click Add.
A form appears that enables you to define the authentication method:
FIGURE 445 Adding a admin authentication method¶
Note
At any point during this process, you can reset the form data by clicking Reset. You can also view existing authentication methods in a pop-up dialog by clicking View Auth Methods.
Under Choose name and type:
Enter an Authentication Server Name. For example: Enrollment or SignIn.
Select the Authorization Type of SAML (Azure AD).
The form expands to show additional settings:
FIGURE 446 Configuring SAML (Azure AD) authentication settings¶
(Optional) Enter a Single Logout URL. For more information.
To provide your SAML IdP settings, select one of the following:
Select Upload to upload a digitally-signed (or unsigned) federation metadata XML definition file downloaded for this SAML activity from Azure AD. That is, for either user enrollment or user sign-in.
Note
By default, the ICS expects a signed metadata definition file. To allow an unsigned metadata file, select Allow Unsigned Metadata.
Then, upload your metadata file by clicking Upload a file here.
Select Enter Manually to manually enter the required IdP SAML settings. Use this option in scenarios where a SAML federation metadata file is not available or incomplete.
Then, enter the following details:
FIGURE 447 Configuring SAML (Azure AD) IdP settings manually¶
The following minimum settings are required for your SAML authentication service to function correctly. Each setting relates to a value configured in the SAML application on your IdP. Contact your IdP administrator to obtain the relevant details:
IDP Entity ID: The entity ID is sent as the Issuer value in the SAML assertion generated by the IdP. Enter the Issuer value in assertions generated by the SAML identity provider.
IDP SSO URL: A URL provisioned by the SAML IdP to support service-provider-initiated Single Sign-On. Use the format
https://<FQDN>.IDP Slo Service: (Optional) A URL to specify the Single Log-Out/sign out endpoint if you want to force re-authentication for increased security. Use the format
https://<FQDN>. For more information.User Name Template: Specify how the system is to derive the username from the SAML assertion. The default value can be used, or replaced with an alternative specifier. For example:
<assertionNameDN.uid>, the NameID value where ICS is the IdP, the UID from X509SubjectName,<userAttr.attr>, attr from AttributeStatement attributes.IDP Signing Certificate: The signing certificate to be used with the SAML app on the IdP. Type or paste in the contents of your Base-64 encoded public key.
Note
If, at a later date, you need to modify the metadata definition file, edit the authentication method through the User Authentication page and repeat this step. However, note that federation metadata files from Azure AD are digitally-signed and so cannot be manually edited prior to upload back into nSA. This process supports replacing a definition file only with another digitally-signed and validated definition file.
Confirm that your settings are correct, then select Add Admin Authentication to create the authentication method.
The new SAML user authentication method is added to the list of methods displayed in the Admin Authentication page, and the process completes.
After you have created your SAML authentication method, create or update your authentication policies with the new authentication method:
From the nSA menu, click the Administration icon, then select Admin Management > Admin Policies.
The Admin Policies page appears. This page lists all existing user authentication policies.
FIGURE 448 Admin Authentication Policies¶
To learn more about the policies on this page, see Viewing Admin Authentication Policies.
From this page, either create a new custom policy or edit an existing policy.
To add a new custom policy, click Add.
The Add Authentication Policy form appears.
FIGURE 449 Add Admin Authentication¶
Note
At any point during this process, you can reset the form data by clicking Reset. You can also view existing authentication policies in a pop-up dialog by clicking View Auth Policies.
Enter a Policy Name.
Enter a Login URL using the format */login/<path>/.
The URL must start with “*/login/” and cannot contain any special characters. <path> should be set to a unique value reflecting the endpoint URL you want to define for this authentication policy (appended with a backslash):
In the case of admin sign-in policies, this is the URL endpoint (appended to the tenant FQDN) to which new users are invited to connect to enroll or sign-in a device with the nSA. Example value: “*/login/adminlogin/”.
Note
In some enrollment circumstances, such as when using a device pre-installed with an older version of Ivanti Secure Access Client, you connect directly to the enrollment policy endpoint to enroll the device. For more details, see Viewing Admin Authentication Policies.
(Optional) Enter a description for the authentication policy.
Select a User Type based on the intended authentication activity for this policy. Choose from:
Administrators: Select this option to define the authentication endpoint for administrator-level sign-in. This endpoint is used for administrator login to the nSA only.
Under Policy Server Details, click Primary Auth Server, and select the required authentication method for the policy from the drop-down list:
FIGURE 450 Selecting an authentication method for this policy¶
Alternatively, select Add New Server and create a new authentication method as per the steps described earlier in this section.
Click Add Policy to create the new policy.
The new policy is added to the list of authentication policies.
If you instead select to update an existing custom or built-in policy:
Select the checkbox adjacent to the relevant policy and click Edit.
The Edit authentication policy form appears.
Note
For built-in authentication policies, all properties except Primary Auth Server are read-only.
Set the Primary Auth Server to be the new SAML user authentication method (indicated):
FIGURE 451 Editing the Primary Authentication Server¶
Click Update Policy.
The list of authentication policies updates.
Repeat until all required authentication policies are updated.
At this point, the nSA uses the uploaded Federation Metadata to contact the SAML service. After this process completes, a Download function becomes available for each relevant policy. This metadata file is required to configure trusted communication with the remote SAML service.
Refresh your browser until the Download action is visible for the relevant policies.
Select the check box for the policy metadata you want to download and clear all other check boxes.
Click Download and save the metadata file.
Note
As mentioned previously, make sure you repeat this procedure for each required SAML app on your Azure AD platform. That is, you require separate XML metadata files for the enrollment authentication policy and the login authentication policy.
After the Admin Authentication workflow is complete, you can configure the Azure AD platform with the XML configuration of the nSA.
Finally, to ensure that your users can access the authentication mechanism defined in the policies you configure through this process, make sure your Secure Access Policies are configured with a Admin Group in which these authentication policies are defined. To learn more.