IGEL Contextual Access (ICA) extends the IGEL Adaptive Secure Desktop by using contextual signals to determine what a user should receive when they connect to an IGEL OS device. Instead of treating every device the same way, ICA enables IT to deliver workspace controls and resources based on the user’s context. Persona Profiles enables the persona-based layer of ICA through the IGEL Universal Management Suite (UMS).
With Persona Profiles, configurations and applications are assigned to user personas rather than individual devices. When a user signs in to an IGEL OS 12 device through Single Sign-On (SSO), the IGEL UMS uses role information from the Identity Provider (IdP) to activate the appropriate persona profile. This allows different user types to receive a personalized, role-specific desktop with the applications and settings they need. Through Persona Profiles, IT can manage access at the persona level instead of device by device.
Some system settings cannot be used in a persona profile, as they cause undefined behavior or they do not trigger the reconfiguration.
The parameters which cannot be configured effectively with persona profiles are listed below.
How Persona Profiles Work
-
The administrator configures persona profiles in the UMS. See the How to Configure Persona Profile section below.
-
The user logs in to an IGEL OS 12 device via SSO.
-
The Identity Provider authenticates the user and provides role information to the UMS.
-
The IGEL UMS evaluates the user’s role and applies the persona profile based on the role and the device.
-
Assigned configurations and applications are dynamically applied based on the persona profile.
When multiple persona profiles are assigned to a device, the applications from all assigned profiles are downloaded to the device. At login, only the applications associated with the user's matching persona profile are activated.
-
On logout, the session is cleared and settings are removed.
Configuring Fallback Login Option
A persistent connection to the IGEL UMS is required for Persona Profiles to function correctly. During a UMS update, the UMS is temporarily unavailable and cannot deliver configurations to devices.
It is recommended to configure a fallback user at the device level to ensure continued access when the UMS is temporarily unreachable.
-
You can configure a fallback using SSO. For details, see How to Configure Single Sign-On (SSO) on IGEL OS 12.
-
You can also enable local login as a fallback. For details, see Enabling Local Login (Optional).
Unsupported Apps with Persona Profiles
Some of the apps created by IGEL and offered in the IGEL App Portal are not yet supported in combination with Persona Profiles.
Apps not yet supported with Persona Profiles are listed below. Support for these apps is planned to be covered with future releases. The list will be updated accordingly.
Support for Persona Profiles in applications developed by IGEL Ready Partners is optional and depends on implementation by the respective partner.
Prerequisites
External IdP Configuration
-
Supported cloud IdP providers with Persona Profiles:
-
Okta
-
Ping
-
Microsoft Entra ID
-
Feature Enablement
-
The Persona Profiles feature is enabled in the UMS under System > Settings > UMS Features. See System Settings in the IGEL UMS Web App.
-
User has access to the Persona Profiles tab. See How to Manage Object Permissions in the IGEL UMS Web App
-
Licenses: IGEL Contextual Access Add-On License
Version Requirements
-
IGEL UMS 12.12.100 or higher
-
IGEL OS 12.9.0 or higher
How to Configure Persona Profiles
The following steps provide an overview of how the persona profile is configured:
Step 1: Configure Cloud IdP in the UMS
→ Configure the cloud IdP the same way as for the UMS Login with SSO. For details, see How to Set Up UMS Login with SSO.
The section “Configuring Your Connection to Microsoft Entra ID in the UMS Web App” is not required for Persona Profiles.
Step 2: Configure SSO Login on IGEL OS
→ Use the configured IdP to enable SSO Login on the device. For details, see How to Configure Single Sign-On (SSO) on IGEL OS 12.
Step 3: Configure Token Trust in UMS
To ensure that UMS trusts the authentication tokens issued by the IdP for the persona profile login:
-
In the UMS Web App, go to System > Settings > Network.
-
Define the claim that contains the roles of the users. (Default if left empty: roles)
The UMS will read the role of the user from this claim when the user logs in.
-
Click Manage under Allowed Issuer for Persona Desktop login.
-
Add the issuer URI of the IdP configured for SSO Login on IGEL OS.
Step 4: Create Persona Profiles for IdP Roles
-
In the UMS Web App, go to Configuration Objects > Persona Profiles
-
Create a new persona profile.
-
Enter Name and Description for easy profile management.
-
List the IdP role names separated by commas under IDP Role to connect the persona profile to these IdP roles.
-
Click Next.
Step 5: Assign Configuration Objects to Persona Profiles
→ Assign configuration objects to the persona profile, like profiles, apps, etc. For more information on configuration objects, see Configuration - Centralized Management of Device Settings in the IGEL UMS Web App.
These configurations will be applied to all users mapped to the corresponding IdP roles.
Once the persona profile is saved, you can assign/remove objects through the Assign Object action.
You can see assigned objects in the Assigned Objects tab.
Step 6: Assign Persona Profiles to Devices
→ Select the devices or device directories for which this persona profile should be active.
This way, the persona profile controls which users can access specific devices.
Example:
-
A persona profile linked to a specific IdP role is only active on the assigned devices.
-
Users without a matching persona profile cannot log in to the device.
Once the persona profile is saved, you can assign/remove devices through the Assign Device action button.
You can check on the assigned devices in the Assigned Devices tab.
