Aruba Central 2.5.1 SAML SSO Solution User guide

Brand: Aruba

Model: Central 2.5.1 SAML SSO Solution

Type: User guide

This manual is also suitable for

Central

Aruba Central

SAML Configuration

Solution Guide

Revision 01 | July 2020 Aruba Central | Solution Guide

Open Source Code

This product includes code licensed under the GNU General Public License, the GNU Lesser General Public

License, and/or certain other open source licenses. A complete machine-readable copy of the source code

corresponding to such code is available upon request. This offer is valid to anyone in receipt of this information

and shall expire three years following the date of the final distribution of this product version by Hewlett

Packard Enterprise Company. To obtain such source code, send a check or money order in the amount of US

$10.00 to:

Hewlett Packard Enterprise Company

6280 America Center Drive

San Jose, CA 95002

USA

Contents

Contents 3

About this Document 6

Intended Audience 6

Related Documents

For more information on Aruba Central, see Aruba Central Help Center —To access help center, click the help

icon in the Aruba Central UI.

Conventions

The following conventions are used throughout this guide to emphasize important concepts:

Type Style Description

Italics This style is used to emphasize important terms and to mark the titles of books.

System items This fixed-width font depicts the following:

nSample screen output

nSystem prompts

Bold nKeys that are pressed

nText typed into a GUI element

nGUI elements that are clicked or selected

Table 1: Typographical Conventions

The following informational icons are used throughout this guide:

Indicates helpful suggestions, pertinent information, and important things to remember.

Indicates a risk of damage to your hardware or loss of data.

Indicates a risk of personal injury or death.

Aruba Central | Solution Guide About this Document | 6

7| About this Document Aruba Central | Solution Guide

Contacting Support

Main Site arubanetworks.com

Support Site support.arubanetworks.com

Airheads Social Forums and Knowledge

Base

community.arubanetworks.com

North American Telephone 1-800-943-4526 (Toll Free)

1-408-754-1200

International Telephone arubanetworks.com/support-services/contact-support/

Software Licensing Site lms.arubanetworks.com

End-of-life Information arubanetworks.com/support-services/end-of-life/

Security Incident Response Team Site: arubanetworks.com/support-services/security-bulletins/

Email: aruba-sirt@hpe.com

Table 2: Contact Information

Chapter 2

Configuring SAML SSO for Aruba Central

The Single Sign On (SSO)solution simplifies user management by allowing users to access multiple applications

and services with a single set of login credentials. If the applications services are offered by different vendors,

IT administrators can use the SAMLauthentication and authorization framework to provide a seamless login

experience for their users.

To provide seamless login experience for users whose identity is managed by an external authentication

source, Aruba Central now offers a federated SSO solution based on the SAML 2.0 authentication and

authorization framework. SAML is an XML-based open standard for exchanging authentication and

authorization data between trusted partners; in particular, between an application service provider and

identity management system used by an enterprise. With Aruba Central's SAML SSOsolution, organizations

can manage user access using a single authentication and authorization source.

Solution Overview

The SAML SSO solution consists of the following key elements:

nService Provider (SP)—The provider of a business function or service; For example, Aruba Central. The

service provider requests and obtains an identity assertion from the IdP. Based on this assertion, the

service provider allows a user to access the service.

nIdentity Provider (IdP)—The Identity Management system that maintains identity information of the user

and authenticates the user.

nSAML request—The authentication request that is generated when a user tries to access the Aruba Central

portal.

nSAML Assertion—The authentication and authorization information issued by the IdP to allow access to the

service offered by the service (Aruba Central portal).

nRelying Party—The business service that relies on SAML assertion for authenticating a user; For example,

Aruba Central.

nAsserting Party—The Identity management system or the IdP that creates SAML assertions for a service

provider.

nMetadata—Data in the XML format that is exchanged between the trusted partners (IdP and Aruba

Central)for establishing interoperability.

nSAML attributes—The attributes associated with the user; for example, username, customer ID, role, and

group in which the devices belonging to a user account are provisioned. The SAML attributes must be

configured on the IdP according to specifications associated with a user account in Aruba Central. These

attributes are included in the SAML assertion when Aruba Central sends a SAML request to the IdP.

nEntity ID—A unique string to identify the service provider that issues a SAML SSO request. According to the

SAML specification, the string should be a URL, although not required as a URLby all providers.

nAssertion Services Consumer URL—The URL that sends the SAML request and receives the SAML response

from the IdP.

nUser—User with SSO credentials.

Aruba Central SAML SSO solution supports only the HTTP Redirect POST method for sending and receiving SAML

requests and response.

Aruba Central | Solution Guide Configuring SAML SSO for Aruba Central | 8

9| Configuring SAML SSO for Aruba Central Aruba Central | Solution Guide

The SAML SSO integration allows federated users to access only the Central UI. The API Gateway access is restricted

to system users that are configured and managed from Aruba Central.

How It Works

Aruba Central supports the following types of SAML SSO workflows:

nSP-initiated SSO

nIdP-initiated SSO

SP-initiated SSO

In an SP Initiated SSO workflow, the SSO request originates from the service provider domain, that is, from

Aruba Central. When a user tries to access Aruba Central, a federation authentication request is created and

sent to the IdP server.

The following figure illustrates the standard SP-Initiated SAML SSO workflow:

Figure 1 SP-Initiated SSO

The SP-initiated SSO workflow with Aruba Central is supported only through the HTTP Redirect POST method.

In other words, Aruba Central sends an HTTP redirect message with an authentication request to the IdP

through the user's browser. The IdP sends a SAML response with an assertion to Aruba Central through HTTP

POST.

The SP-initiated SSO workflow with HTTP Redirect POST includes the following steps:

1. The user tries to access Aruba Central and the request is redirected to the IdP.

2. Aruba Central sends an HTTP redirect message with the SAML request to the IdP for authentication

through the user's browser.

3. The user logs in with the SSO credentials.

4. On successful authentication, the IdP sends a digitally signed HTML form with SAML assertion and

attributes to Aruba Central through the web browser.

5. If the digital signature and the attributes in the SAML assertion are valid, Aruba Central allows access to

the user.

IdP-initiated SSO

In the IdP-Initiated workflow, the SSO request originates from the IdP domain. The IdP server creates a SAML

response and redirects the users to Aruba Central.

The Aruba Central SAML SSO deployments support the IdP-initiated SSO workflow through the HTTP POST

method. The IdP-initiated SSO workflow consists of the following steps:

1. The user is logged in to the IdP and tries to access Aruba Central.

2. The IdP sends a digitally signed HTML form with SAML assertion and attributes to Aruba Central through

the web browser.

3. If the digital signature and the attributes in the SAML assertion are valid, Aruba Central allows access to

the user.

The following figure illustrates the standard IdP-Initiated SAML SSO workflow:

Figure 2 IdP-Initiated SSO

SAML Single Logout

Aruba Central supports Single Logout (SLO)of SAML SSO users. SLO allows users to terminate server sessions

established using SAML SSO by initiating the logout process once. SAML SLO can be initiated either from the

Service Provider or the IdP. However, Aruba Central supports only the IdP-initiated SLO.

IdP-initiated SAML SLO

The IdP-initiated logout workflow includes the following steps:

1. User logs out of the IdP.

2. The IdP sends a logout request to Aruba Central.

3. Aruba Central validates the logout request from the IdP, terminates the user session, and sends a logout

response to the IdP.

4. User is logged out of Aruba Central.

5. After the IdP receives logout response from all service providers, the IdP logs out the user.

Aruba Central | Solution Guide Configuring SAML SSO for Aruba Central | 10

11 | Configuring SAML SSO for Aruba Central Aruba Central | Solution Guide

Configuration Steps

The SAML SSO configuration for Aruba Central includes the following steps:

1. Configuring user accounts and roles in Aruba Central. For more information, see the Managing User

Access topic in Aruba Central Help Center.

2. Configure SAML authorization profile in Aruba Central.

3. Configuring Service Provider metadata such as metadata URL, service consumer URL, Name and other

attributes on the IdP server.

Configuring SAML Authorization Profiles in Aruba Central

For SAML SSO solution with Aruba Central, you must configure a valid SAML authorization profile in the Aruba

Central portal.

Important Points to Note

nThe SAML authorization profile configuration feature is available only for the admin users of an Aruba

Central account. Aruba Central allows only MSP admin users to configure SAML authorization profiles for

their respective tenant accounts.

nEach domain can have only one federation. There must be at least one verified user belonging to the

domain in the system users' list.

nAruba Central allows only one authorization profile per domain.

nSAML user access is determined by the role attribute included in the SAML token provided by the IdP.

nSAML users with admin privileges can configure system users in Aruba Central.

nSAML users can initiate a Single Sign On request by trying to log in to Aruba Central (SP-initiated login).

However, SAML users cannot initiate a single logout request from Aruba Central.

nThe following menu options in Aruba Central UI are not available for a SAML user.

lEnable MSP and Disable MSP—SAML users cannot enable or disable MSP deployment mode in Aruba

Central.

lChange Password—Aruba Central does not support changing the password of a SAML user account.

Before You Begin

Before you begin, ensure that you have the following information:

nEntity ID—A unique string that identifies the service provider that issues a SAML SSO request. According to

the SAML specification, the string should be a URL, although not required as URLby all providers.

nLogin URL—Login URL configured on the IdP server.

nLogout URL—Logout URL configured on the IdP server.

nCertificate details—SAML signing certificate in the Base64 encoded format. The SAML signing certificates are

required for verifying the identity of IdP server and relying applications such as Aruba Central.

nMetadata URL—Service provider metadata URLconfigured on the IdP server.

SAML profiles can also be configured using NB APIs. If you want to use NBAPIs for configuring SAML profiles, use the

APIs available under the SSO Configuration category in Aruba Central API Gateway.

Configuring a SAML Authorization Profile

To configureSAML authorization profiles in Aruba Central:

1. In the Account Home page, under Global Settings, click Single Sign On. The Single Sign On page is

displayed.

2. To add an authorization profile, enter the domain name.

Ensure that the domain has at least one verified user.

For public cloud deployments, Aruba Central does not support adding hpe.com,arubanetworks.com and other free

public domain names, such as Gmail.com, Yahoo.com, or Facebook.com, for SAML authorization profiles.

3. Click Add SAML Profile.

4. To manually enter the metadata:

a. Select Manual Setting and enter the following information:

nEntity ID—Entity ID configured on the IdP server.

nLogin URL—Login URL configured on the IdP server.

nLogout URL—Login URL configured on the IdP server.

nCertificate—Certificate details. Ensure that the certificate content is in the Base64 encoded format.

You can either upload a certificate or paste the contents of the certificate in the text box.

Ensure that the Entity ID, Login URL, and Logout URL fields have valid HTTPS URLs.

b. Click Save.

Aruba Central | Solution Guide Configuring SAML SSO for Aruba Central | 12

13 | Configuring SAML SSO for Aruba Central Aruba Central | Solution Guide

The following shows an example for the manual entry of metadata:

Figure 3 Manual Addition of Metadata

5. If you have already configured the IdP server and downloaded the metadata file, you can upload the

metadata file. To upload a metadata file:

a. Select Metadata File. Ensure that the metadata file is in the XML format and it includes valid

certificate content and HTTPS URLs for the Entity ID, Login URL, and Logout URL fields.

b. Click Browse and select the IdP metadata file. Aruba Central extracts the Entity ID,Login URL,

Logout URL, and certificate contents.

c. Verify the details.

d. Click Save.

The following shows an example for content imported from a metadata file:

Figure 4 Importing Information from a Metadata File

Configuring Service Provider Metadata in IdP

Aruba Central supports SAML SSO authentication framework with various Identity Management vendors such

as ADFS,PingFederate,Aruba ClearPass Policy Manager, and so on.

Aruba recommends that you look up the instructions provided by your organization for adding service

provider metadata to the IdP server in your setup.

Some of the generic and necessary attributes required to be configured on the IdP server for SAML integration

with Aruba Central are described in the following list:

nMetadata URL—URL that provides service provider metadata.

Aruba Central | Solution Guide Configuring SAML SSO for Aruba Central | 14

15 | Configuring SAML SSO for Aruba Central Aruba Central | Solution Guide

nEntity ID—A unique string that identifies the service provider that issues a SAML SSO request. According to

the SAML specification, the string should be a URL, although not required as URLby all providers.

nAssertion Services Consumer URL—The URL that sends SAML SSO login requests and receives

authentication response from the IdP.

nNameID—The NameID attribute must include the email address of the user.

<NameID>johnnyadmin1@adfsaruba.com</NameID>

nIf the NameID attribute does not return the email address of the user, you can use the aruba_user_email

attribute. Ensure that you configure the NameID or the aruba_user_email attribute for each user.

nSAML Attributes—The following example shows the syntax structure for SAML attributes:

#customer 1

aruba_1_cid = <customer-id>

# app1, scope1

aruba_1_app_1 = central

aruba_1_app_1_role_1 = <readonly>

aruba_1_app_1_role_1_tenant = <admin>

aruba_1_app_1_group_1 = groupx, groupy

aruba_1_app_2 = device_profiling

aruba_1_app_2_role_1 = <readonly>

aruba_1_app_3 = account_setting

aruba_1_app_3_role_1 = <readonly>

#customer 2

aruba_2_cid = <customer-id>

# app1, scope1

aruba_2_app_1 = central

aruba_2_app_1_role_1 = <readonly>

aruba_2_app_1_role_1_tenant = <admin>

aruba_2_app_1_group_1 = groupx, groupy

aruba_2_app_2 = device_profiling

aruba_2_app_2_role_1 = <readonly>

aruba_2_app_3 = account_setting

aruba_2_app_3_role_1 = <readonly>

Note the following points when defining SAML attributes in the IdP server:

lcid—Customer ID. If you have multiple customers, define attributes separately for each customer ID.

lapp—Application. Set the value as per the following:

lNetwork Operations—central

lClear Pass Device Insight—device_profiling

lAccount Home—account_setting

lrole—User role. Specify the user role. If no role is defined, Aruba Central assigns read-only role to the

user.

ltenant role—Tenant user role. If the tenant role is not defined in the IdP, the MSP role is assigned to

the SAML user.

lgroup—Group in Aruba Central. When a group is specified in the attribute, the user is allowed to access

only the devices in that group. If the attribute does not include any group, Aruba Central allows SAML

SSO users to access all groups. You can also configure custom attributes to add multiple groups if the

user requires access to multiple groups.

Aruba Central recommends you to configure the Account Home. However, If you do not return the Account Home

application from the Idp, then the Network Operations role is applied by default.

See Also:

nConfiguring Service Provider Metadata in Microsoft ADFS on page 16

nConfiguring Service Provider Metadata in PingFederate IdP on page 23

nConfiguring Service Provider Metadata in ArubaClearPass Policy Manager on page 29

Configuring Service Provider Metadata in Microsoft ADFS

This procedure describes the steps required for configuring service provider metadata in Microsoft Active

Directory Federation Services (ADFS) for SAML integration with Aruba Central.

ADFS runs on Windows Servers and provides users with SSO access to application services hosted by the

trusted service providers.

This topic provides a basic set of guidelines required for setting up the ADFS instance on a Windows Server 2016 as

an IdP. The images used in this procedure may change with Windows Server updates.

Before you Begin

nGo through the SAML SSO feature description to understand how SAML framework works in the context of

Aruba Central.

nEnsure that the ADFSis installed and available for configuration on a Windows server. For more

information, see the ADFSDeployment Guide.

nEnsure that an Active Directory security group is configured and the users are added as group members. For

more information, see the ADFSDeployment Guide.

Steps to Configure Service Provider Metadata in ADFS

To enable SAML integration with ADFS, complete the following steps:

nStep 1—Adding a Relying Party Trust

nStep 2—Configure the Name IDAttribute

nStep 3—Configure the Customer IDAttribute

nStep 4—Configure the Application Attribute

nStep 5—Configure the Role Attribute

nStep 6—Configure the Group Attribute

nStep 7—Configure the Logout URL

nStep 8—Exporting Token-signing Certificate

nStep 9—SAML Authorization Profile in Aruba Central

Step 1—Adding a Relying Party Trust

To configure Aruba Central and ADFSas trusted partners:

1. On Windows Server, click Start > Administrative Tools > AD FS Management. The ADFS

administrative console opens.

2. Click AD FS folder and select Add Relying Party Trust from the Actions menu.

3. Select Enter data about the relying party manually.

Aruba Central | Solution Guide Configuring SAML SSO for Aruba Central | 16

17 | Configuring SAML SSO for Aruba Central Aruba Central | Solution Guide

4. Click Next.

5. Enter a Display Name. The name entered here will be displayed in the management console and to the

users logging in to Aruba Central.

6. Click Next.

7. Select AD FS Profile and then click Next.

8. Select Enable support for the SAML 2.0 WebSSO protocol check box and enter the consumer URL

that you want to use for sending SAML SSO login requests and receiving SAML response from the IdP.

9. Click Next.

10. Add Aruba Central URL as the relying party trust identifier.

11. Click Next.

12. Select the preferred security setting. You can select Permit all users to access this relying party

option to permit access to all users.

13. Click Close.

14. Verify if Aruba Central is added to the list of relying party trust.

Step 2—Configure the Name IDAttribute

The Name ID attribute is used for user identification. For SAMLintegration with Aruba Central, the Name

IDattribute must include the email address of the user. If the Name ID attribute does not return the email

address of the user, use the aruba_user_email attribute.

To configure the Name-ID attribute:

1. Select the display name you just added for Aruba Central and click Edit Claim Issuance Policy.

2. In the Edit Claim Issuance Policy window, click Add Rule.

3. Set the Claim Rule template to Send LDAP Attributes as Claims rule.

4. Click Next.

5. In the Claim rule name text box, enter Name-ID.

6. Select the LDAP as the Attribute store.

7. Select the User-Principal-Name as LDAP attribute and Name IDfor the Outgoing Claim Type.

8. Click Finish.

Step 3—Configure the Customer IDAttribute

To create a rule with the customer IDattribute:

1. In the Edit Claim Issuance Policy window, click Add Rule.

2. To send a claim based on a user's Active Directory group membership, set the Claim Rule template to

Send Group Membership as a Claim.

3. Click Next.

4. In the Claim rule name text box, enter the customer ID attribute. For example, aruba-cid.

5. Select a user group.

Aruba Central | Solution Guide Configuring SAML SSO for Aruba Central | 18

19 | Configuring SAML SSO for Aruba Central Aruba Central | Solution Guide

6. Click OK.

7. Select a customer IDattribute for the Outgoing claim rule and enter a value for the Outgoing claim

value.

8. Click Finish.

9. If you have multiple customers, define the customer ID attribute separately for each customer ID.

Step 4—Configure the Application Attribute

To add a rule for the application attribute:

1. In the Edit Claim Issuance Policy window, click Add Rule.

2. To send a claim based on a user's Active Directory group membership, set the Claim Rule template to

Send Group Membership as a Claim.

3. Click Next.

4. In the Claim rule name text box, enter the application attribute. For example, Aruba Central App

Name.

5. Select a user group.

6. Select the application attribute for Outgoing claim type and enter a value for the Outgoing claim

value.

7. Click Finish.

Step 5—Configure the Role Attribute

To add a rule for a role attribute:

1. In the Edit Claim Issuance Policy window, click Add Rule.

2. To send a claim based on a user's Active Directory group membership, set the Claim Rule template to

Send Group Membership as a Claim.

3. Click Next.

4. In the Claim rule name text box, enter the application attribute. For example, Aruba Central App

Role.

5. Select a user group.

6. Select the role attribute for Outgoing claim type and enter a value for the Outgoing claim value.

Aruba Central | Solution Guide Configuring SAML SSO for Aruba Central | 20

Page is loading ...

Aruba Central 2.5.1 SAML SSO Solution User guide

Brand: Aruba

Model: Central 2.5.1 SAML SSO Solution

Type: User guide

This manual is also suitable for

Central

Download PDF

report

Aruba Central 2.5.1 SAML SSO Solution User guide

This manual is also suitable for

Aruba Central 2.5.1 SAML SSO Solution User guide

Related papers

Other documents