Skip to main content
Skip table of contents

Ivanti Connect Secure SAML2 Integration

This document explains how to implement Monosign with Ivanti Connect Secure It covers Single Sign-On. Before you continue, it is better to start with Ivanti Connect Secure(formerly Pulse Secure) Single Sign-On implementation page

đź“‘ Instructions

This documentation contains 4 main steps for integration.

  1. Creating an Application on Monosign

  2. Configuration Single Sign-On for Ivanti Connect Secure

  3. Assign a user to the Ivanti Connect Secure app

  4. Sign In Test

  5. Role Mapping

This method can be used for SSLVPN connection and admin authentication.

1- Creating an Application on Monosign

Create your application on Monosign and configure your access policy. Once you create, click “Keys” and add a new Access Key for SAML 2.0 Key for access.

We will need this information while we configure the Ivanti Connect Secure app.

Property

Value

Options

Key Type

SAML

Rest API, OAuth 2.0, JWT, OIDC/OpenID, SAML, RADIUS, Access Gateway, LDAP, AuthN/Z Server

Expiration

Lifetime

Lifetime or Specific Date/Time - By Default Lifetime is Enabled.

You are gonna see your configuration for your Ivanti Connect Secure app as follows;

image-20240221-201557.png
image-20240221-200936.png

Change ACS(Assertion Consumer Url), Audience, Entity Id, Name Id, Relay State, Exclude NotBefore and Group Mapping.

Property

Value

Assertion Consumer Url

https://<FQDN-SAML-SP>/dana-na/auth/saml-consumer.cgi

Audience

https://<FQDN-SAML-SP>/dana-na/auth/saml-consumer.cgi

Entity Id

https://<FQDN-SAML-SP>/dana-na/auth/saml-endpoint.cgi?p=sp5

Name Id

UserName

Relay State

https://<FQDN-Ivanti-Sign-In-URL>

Exclude NotBefore

Enable From Subject

Group Mapping

Enable

To ensure that the application has access to user groups, follow these steps:

  1. If the application hasn't been configured yet, click the “Edit” option for the application.

  2. In the application settings, navigate to the “Source, Provider, and Profile” tab.

  3. Configure the “User Access Type“ and “User Group Access Type” as “Only Assigned Users.”

Configuring this setting will allow the application to access by user groups when users sign in.

Property

Description

Options

User Access Type

Defines which Users will access to this application.

Only Assigned Users
All Users

User Group Access Type

Defines application’s user group access

Only Assigned Users
Assigned Users and Defined Sources
All Users

Profile Access Type

Defines Application’s user’s profile access

Restricted - Only restricted user profile attributes
All - All user profile attributes

2- Configuration Single Sign-On for Ivanti Connect Secure

As mentioned at the start, please check out the Ivanti Connect Secure SSO configuration page first.

This section describes tasks to configure Ivanti Connect Secure SAML settings.

  • Configuring Global SAML Settings

  • Managing SAML Metadata Files

  • Configuring Ivanti Connect Secure as a SAML 2.0 Service Provider

Configuring Global SAML Settings

  1. Select System > Configuration > SAML.

  2. Click the Settings button to display the configuration page.

  3. Complete the settings described in the following image.

  4. Click Save Changes.

  5. Click Update Entity Ids

image-20240221-202455.png

Managing SAML Metadata Files

  1. Select System > Configuration > SAML.

  2. Click New Metadata Provider to display the configuration page.

  3. Complete the settings described in the following image.

  4. Save the configuration.

image-20240221-202818.png
image-20240221-203054.png

Configuration detail

Property

Value

Name

Give IdP name here Example: Monosign

Location

Local : IdP Metadata file needed. It can be download from Monosign application key detail.

Remote: IdP Metadata file can be downloaded by Ivanti Connect Secure from Monosign.

Accept Untrusted Server Certificate

Click for Enable

Accept Unsigned Metadata

Click for Enable

Signing Certificate

It can be download from Monosign application key detail and upload here

Roles

Identity Provider

To refresh a metadata file:

  1. Select System > Configuration > SAML.

  2. Select the metadata file to refresh and click Refresh.

image-20240221-203816.png

Configuring Ivanti Connect Secure as a SAML 2.0 Service Provider

To configure the system as a SAML service provider:

  1. Select Authentication > Auth. Servers.

  2. Select SAML Server from the New list and then click New Server to display the configuration page.

  3. Complete the settings as described in the image

  4. Save the configuration.

image-20240221-204611.png

Now this Authentication Server can be used in User Realms and SignIn URL in Ivanti Connect Secure.

Now, go back to Monosign and give access to your users and try login.

3- Assign a user to the Ivanti Connect Secure app

I am gonna give permission to “john.smith” who is my user on Monosign.

You can find the details here how to user can be assign to the application.

4- Sign In Test

If everything is well configured, you will be redirected to Monosign’s login page. You can log in passwordless with your QR code or you can type your user name and password.

image-20240221-204833.png

When you logged, you are gonna be redirected to the Ivanti Connect Secure SSLVPN Portal as which role assigned in the user realm.

5- Role Mapping

Ivanti Connect Secure is supporting Role Mapping with specific SAML attributes. There are 3 attributes supported;

  • Username

  • Certificate

  • Custom Expressions

Username Mapping
  1. Select Users > Users Realms and choose realms you want to configure.

  2. Go to Role Mapping then click New Rule

image-20240223-063304.png

Property

Value

Rule Based on

Username

Name

Type any name in here. Example: Users

Rule: if username

Choose operator : is

Type Username. Example : john.smith Wildcard option can be used here. Please type *

then assign these roles

Choose correct role for particular users.

image-20240223-063944.png
  1. Then configure setting and click Save.

Now try to login Ivanti Connect Secure and verify correct role mapped to user(s).

Example User : john.smith

image-20240223-070126.png

Also it can be verified in the Ivanti Connect Secure User Access logs.

Select System > Log/Monitoring > User Access

Type username in Edit Query and click update

Query Example : user="john.smith"

As shown in the logs first login attempt is not continue because of user has no role.

Second attempt is successfully logged-in and correct role is assigned to the user.

image-20240223-070611.png
Group Mapping
  1. Select Users > Users Realms and choose realms you want to configure.

  2. Go to Role Mapping then click New Rule

image-20240223-063304.png
  1. Choose Custom Expressions under Rule based on setting and click Update

  2. Open Expressions … settings

image-20240223-071717.png
image-20240223-072304.png

Property

Value

View

New

Name

Type any name in here. Suggested name is Group Name.

Example : Monosign VPN Users

Expression

samlMultiValAttr.Groups = "<GROUP Name Here>"

Example : samlMultiValAttr.Groups = "Monosign VPN Users"

Click Add Expression and configuration will be saved then click Close

Now check role assignment configuration page and it will be look like in the below

image-20240223-073114.png

Now try to login Ivanti Connect Secure and verify correct role mapped to user(s).

image-20240223-070126.png

Also it can be verified in the Ivanti Connect Secure User Access logs.

Select System > Log/Monitoring > User Access

Type username in Edit Query and click update

Query Example : user="john.smith"

As shown in the logs first login attempt is not continue because of user has no role.

Second attempt is successfully logged-in and correct role is assigned to the user.

image-20240223-080134.png

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.