1Kosmos integrates with Pulse Secure (now Ivanti Connect Secure) as a SAML 2.0 identity provider, replacing password-based VPN login with biometric authentication.
Integration type
Auth/IDP
Overview
Ivanti Connect Secure (formerly Pulse Connect Secure) is an SSL VPN gateway for enterprise remote access. 1Kosmos integrates as a SAML 2.0 identity provider, replacing password-based VPN authentication with biometric verification via the 1Kosmos mobile app. Users are redirected to 1Kosmos, authenticate biometrically, and return with a valid SAML assertion.
What we solve
Enterprises using Pulse Secure/Ivanti Connect Secure for SSL VPN need phishing-resistant authentication for remote access so VPN credentials can’t be easily stolen or reused. This integration enables SAML 2.0 SSO from the VPN gateway to 1Kosmos so users authenticate biometrically before gaining VPN access.
The SAML configuration on Ivanti Connect Secure is performed through the admin portal under System → Configuration → SAML, followed by Authentication → Auth Servers → New SAML Server. The gateway's FQDN is set as the Host FQDN for SAML and is used to generate the SP Entity ID and ACS URL. The ACS URL follows the pattern https://[FQDN]/dana-na/auth/saml-consumer.cgi and the Entity ID pattern is https://[FQDN]/dana-na/auth/saml-endpoint.cgi?p=sp1.
Prerequisites
Active 1Kosmos tenant: Administrator access to the AdminX portal. Contact 1kosmos.com/contact if not yet provisioned.
Ivanti Connect Secure administrator access: Admin access to the Connect Secure admin portal. SAML SP configuration requires admin rights to Authentication and System → Configuration settings.
Valid SSL certificate on the Connect Secure gateway: The FQDN used for SAML must match the SSL certificate on the gateway's external interface.
1Kosmos mobile app installed: Users must have the app on iOS or Android with biometrics enrolled before testing.
Configuration values
Values to collect from 1Kosmos AdminX (IdP) for Pulse Secure / Ivanti Connect Secure:
Field | Where to find it |
|---|---|
SAML Metadata URL or XML | AdminX → Settings → IdP Configuration → Metadata URL |
SSO URL | AdminX → Settings → IdP Configuration → Single SignOn Service URL |
IdP Entity ID | AdminX → Settings → IdP Configuration → Core Configuration |
Signing Certificate (PEM) | AdminX → Settings → IdP Configuration → View Certificate → Public Key |
Ivanti Connect Secure SP values (calculated from gateway FQDN):
Field | Pattern |
|---|---|
SP Entity ID | https://[FQDN]/dana-na/auth/saml-endpoint.cgi?p=sp1 |
ACS URL | https://[FQDN]/dana-na/auth/saml-consumer.cgi |
Integration steps
Step 1: Configure system-wide SAML settings on Ivanti Connect Secure
Log in to the Ivanti Connect Secure admin portal and navigate to System → Configuration → SAML → Settings.
Set the Timeout value to 300 and enter your gateway's Fully Qualified Domain Name in the Host FQDN for SAML field. This FQDN determines the SP Entity ID and ACS URL used for the SAML service provider configuration.
Click Save Changes.
Step 2: Add a metadata provider for 1Kosmos
Navigate to System → Configuration → SAML and click New Metadata Provider.
Enter the 1Kosmos metadata URL and set the role to Identity Provider. Click Save Changes. The system fetches and stores the 1Kosmos metadata.
Step 3: Create a SAML Authentication Server
Navigate to Authentication → Auth Servers and select SAML Server from the New Server dropdown. Click New Server.
On the New SAML Server page, select the 1Kosmos metadata provider from the Identity Provider drop-down. Review the auto-populated fields and click Save Changes.
Click Download Metadata to export the Ivanti Connect Secure SP metadata for use in AdminX.
Step 4: Add Ivanti Connect Secure as a SAML application in AdminX
Log in to the AdminX portal and navigate to Applications → Add Application.
Select SAML 2.0 Generic and click Add integration. Enter "Ivanti Connect Secure" as the Application Name and your VPN portal URL as the Application Access URL.
Set NameID Format to
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddressand NameID Value to email. Enable Assertion signing.Enter the SP Entity ID and ACS URL calculated from your gateway FQDN. Click Save.
Step 5: Configure the authentication realm
In the Ivanti Connect Secure admin portal, navigate to Users → User Realms. Edit or create the realm used for VPN access.
Under Authentication, select the SAML Server created in Step 3 as the authentication server.
Configure the realm's sign-in URL and role mapping rules as needed.
Step 6: Test the integration
Navigate to the Ivanti Connect Secure VPN portal URL in a browser. Select the SAML-configured realm. You are redirected to 1Kosmos for biometric authentication.
Authenticate biometrically and confirm you are returned to the VPN portal with access to the configured resources.
Attribute mappings
Source (1Kosmos) | Target (Ivanti Connect Secure) | Description |
|---|---|---|
user.email | NameID (emailAddress) | Primary identifier for VPN user account lookup |
Integration notes
Pulse Connect Secure was rebranded as Ivanti Connect Secure in 2022 following Ivanti's acquisition of Pulse Secure.
If your gateway still shows Pulse Secure branding, the configuration path and SP value patterns described here remain accurate. The sp1 suffix in the Entity ID pattern indicates the first SAML service provider configured on the gateway.
If additional SAML SP entries already exist on the gateway, the number increments (sp2, sp3, etc.). Check the existing configuration to confirm the correct SP number for your environment.
