Ivanti Connect Secure SAML Single Sign-On (SSO)

Ivanti Connect Secure offers SP-initiated SAML SSO (for SSO access directly through the Ivanti Connect Secure web application). The following is an overview of the steps required to configure the Ivanti Connect Secure Web application for single sign-on (SSO) via SAML.

  1. Prepare Ivanti Connect Secure for single sign-on (see Ivanti Connect Secure requirements for SSO).

  2. In the Identity Administration portal, add the application and configure application settings.

    Once the application settings are configured, complete the user account mapping and assign the application to one or more roles.

  3. Configure the Ivanti Connect Secure application for single sign-on.

    To configure Ivanti Connect Secure for SSO, copy settings from the Application Settings page in the Identity Administration portal and paste them into the Ivanti Connect Secure website. For more information, see Configure Ivanti Connect Secure on its website.

After you are done configuring the application settings in the Identity Administration portal and the Ivanti Connect Secure application, users are ready to authenticate using the CyberArk Cloud Directory.

Ivanti Connect Secure requirements for SSO

Before you configure the Ivanti Connect Secure web application for SSO, make sure you have a signed certificate. You can either download one from the Identity Administration portal or use your organization’s trusted certificate.

Set up the certificates for SSO

To establish a trusted connection between the web application and CyberArk Identity, you need to have the same signing certificate in both the application and the application settings in the Identity Administration portal.

If you use your own certificate, you upload the signing certificate and its private key in a .pfx or .p12 file to the application settings in the Identity Administration portal. You also upload the public key certificate in a .cer or .pem file to the web application.

What you need to know about Ivanti Connect Secure

Each SAML application is different. The following table lists features and functionality specific to Ivanti Connect Secure.

Capability

Supported?

Support details

Web browser client

Yes

 

Mobile client

No

 

SAML 2.0

Yes

 

SP-initiated SSO

Yes

Users may go directly to a supplied Ivanti Connect Secure URL and then use CyberArk Identity SSO to authenticate.

IdP-initiated SSO

No

 

Force user login via SSO only

No

Administrators and users can still log in with a user name and password after SSO is enabled.

Separate administrator login after SSO is enabled

No

 

User or Administrator account lockout risk

No

User name and password login is always available.

Automatic user provisioning

No

 

Self-service password

N/A

 

Access restriction using a corporate IP range

Yes

You can specify an IP Range in the Identity Administration portal Policy page to restrict access to the application.

Configure Ivanti Connect Secure in the Identity Administration portal

It is helpful to open the web application and the Identity Administration portal simultaneously to copy and paste settings between the two browser windows. See Configure Ivanti Connect Secure on its website.

Configure Ivanti Connect Secure on its website

For more information about Ivanti Connect Secure

For more information about configuring Ivanti Connect Secure for SSO, contact Ivanti Connect Secure support.