Aruba Central, Central 2.5.1 SAML SSO Solution User guide

  • Hello! I am an AI chatbot trained to assist you with the Aruba Central User guide. I’ve already reviewed the document and can help you find the information you need or explain it in simple terms. Just ask your questions, and providing more details will help me assist you more effectively!
Aruba Central
SAML Configuration
Solution Guide
Revision 01 | July 2020 Aruba Central | Solution Guide
Copyright Information
© Copyright 2020 Hewlett Packard Enterprise Development LP.
Open Source Code
This product includes code licensed under the GNU General Public License, the GNU Lesser General Public
License, and/or certain other open source licenses. A complete machine-readable copy of the source code
corresponding to such code is available upon request. This offer is valid to anyone in receipt of this information
and shall expire three years following the date of the final distribution of this product version by Hewlett
Packard Enterprise Company. To obtain such source code, send a check or money order in the amount of US
$10.00 to:
Hewlett Packard Enterprise Company
6280 America Center Drive
San Jose, CA 95002
USA
Contents
Contents 3
About this Document 6
Intended Audience 6
Related Documents 6
Conventions 6
Contacting Support 7
Configuring SAML SSO for Aruba Central 8
Solution Overview 8
How It Works 9
SP-initiated SSO 9
IdP-initiated SSO 10
SAML Single Logout 10
Configuration Steps 11
Configuring SAML Authorization Profiles in Aruba Central 11
Important Points to Note 11
Before You Begin 11
Configuring a SAML Authorization Profile 12
Configuring Service Provider Metadata in IdP 14
Configuring Service Provider Metadata in Microsoft ADFS 16
Before you Begin 16
Steps to Configure Service Provider Metadata in ADFS 16
Step 1Adding a Relying Party Trust 16
Step 2Configure the Name IDAttribute 18
Step 3Configure the Customer IDAttribute 18
Step 4Configure the Application Attribute 20
Step 5Configure the Role Attribute 20
Step 6Configure the Group Attribute 21
Step 7Configure the Logout URL 21
Step 8—Exporting Token-signing Certificate 22
Step 9SAML Authorization Profile in Aruba Central 23
Configuring Service Provider Metadata in PingFederate IdP 23
Before you Begin 23
Steps to Configure Service Provider Metadata in PingFederate 24
Step 1Create an SP Connection Profile 24
Step 2Configure Browser SSO Settings 25
Aruba Central | Solution Guide Contents | 3
4| Contents Aruba Central | Solution Guide
Step 3Configure Credentials 29
Step 4Review Configuration 29
Step5—SAML Authorization Profile in Aruba Central 29
Configuring Service Provider Metadata in ArubaClearPass Policy Manager 29
Before you Begin 29
Steps to Configure ClearPass Policy Manager as an IdP 29
Step 1Configuring Enforcement Profile and Policies 30
Step 2—Adding Roles 30
Step 3Mapping Roles to Enforcement Policies 31
Step 4—Configuring an IdP Service 31
Step 5—Uploading SP Metadata 32
Step 6Adding Local Users 32
Step7—Configuring SAML Authorization Profile in Aruba Central 33
Configuring Service Provider Metadata in G Suite 33
Before you Begin 33
Steps to Configure Service Provider Metadata in Google Admin Console. 33
Step 1Add Custom Attributes 34
Step 2Add new user 35
Step 3Add values to custom attributes 35
Step 4Set up Custom SAML app 36
Step 5Turn on SSO to your new SAMLapp 40
Viewing Federated Users in Aruba Central 41
Viewing Audit Logs for Federated Users in Aruba Central 41
Converting System Users to Federated Users 41
Before you Begin 42
Migrating Aruba Central Web Application Users to Federated User Profiles 42
Enabling NB API Access for Federated Users 43
Troubleshooting SAMLSSO Authentication Issues 43
Installing SAML Tracer on Web Browsers 43
Viewing SAMLTrace Logs 43
Troubleshooting Tips for Most Common Errors 44
Error 1— A blank page is displayed when the SAML user is redirected to the IdP server 44
Error 2— The SAML user is logged out of Aruba Central after logging in to IdP 44
Error 3— The web browser displays an error message when a SAML user is redirected to Aruba Cen-
tral after logging in to IdP 44
Error 4— The web browser displays a 404 error message when a SAMLuser is redirected to Aruba
Central after logging into IdP 44
Error 5— Although the role attribute is not configured in IdP, the SAMLuser is assigned a readonly
role 45
Error 6— A SAML user was able to log in to Aruba Central earlier, but cannot access Aruba Central 45
now
Error 7— The web browser displays SAML authentication error message when a SAML user tries to
log in to Aruba Central 45
Error 8— The Aruba Central login page is displayed for the SAML user instead of the IdP login page 45
Aruba Central | Solution Guide Contents | 5
Chapter 1
About this Document
This document describes how to configure Security Assertion Markup Language (SAML) Single Sign On
(SSO)solution for Aruba Central.
Intended Audience
This guide is intended for the IT administrators who manage user access for the Aruba Central portal and the IT
administrators who manage application access for the users in their organizations
Aruba recommends that the users of this document familiarize themselves with the SAML SSO concepts before
enabling SAML SSO support on Aruba Central.
Related Documents
For more information on Aruba Central, see Aruba Central Help Center To access help center, click the help
icon in the Aruba Central UI.
Conventions
The following conventions are used throughout this guide to emphasize important concepts:
Type Style Description
Italics This style is used to emphasize important terms and to mark the titles of books.
System items This fixed-width font depicts the following:
nSample screen output
nSystem prompts
Bold nKeys that are pressed
nText typed into a GUI element
nGUI elements that are clicked or selected
Table 1: Typographical Conventions
The following informational icons are used throughout this guide:
Indicates helpful suggestions, pertinent information, and important things to remember.
Indicates a risk of damage to your hardware or loss of data.
Indicates a risk of personal injury or death.
Aruba Central | Solution Guide About this Document | 6
7| About this Document Aruba Central | Solution Guide
Contacting Support
Main Site arubanetworks.com
Support Site support.arubanetworks.com
Airheads Social Forums and Knowledge
Base
community.arubanetworks.com
North American Telephone 1-800-943-4526 (Toll Free)
1-408-754-1200
International Telephone arubanetworks.com/support-services/contact-support/
Software Licensing Site lms.arubanetworks.com
End-of-life Information arubanetworks.com/support-services/end-of-life/
Security Incident Response Team Site: arubanetworks.com/support-services/security-bulletins/
Email: aruba-sirt@hpe.com
Table 2: Contact Information
Chapter 2
Configuring SAML SSO for Aruba Central
The Single Sign On (SSO)solution simplifies user management by allowing users to access multiple applications
and services with a single set of login credentials. If the applications services are offered by different vendors,
IT administrators can use the SAMLauthentication and authorization framework to provide a seamless login
experience for their users.
To provide seamless login experience for users whose identity is managed by an external authentication
source, Aruba Central now offers a federated SSO solution based on the SAML 2.0 authentication and
authorization framework. SAML is an XML-based open standard for exchanging authentication and
authorization data between trusted partners; in particular, between an application service provider and
identity management system used by an enterprise. With Aruba Central's SAML SSOsolution, organizations
can manage user access using a single authentication and authorization source.
Solution Overview
The SAML SSO solution consists of the following key elements:
nService Provider (SP)—The provider of a business function or service; For example, Aruba Central. The
service provider requests and obtains an identity assertion from the IdP. Based on this assertion, the
service provider allows a user to access the service.
nIdentity Provider (IdP)—The Identity Management system that maintains identity information of the user
and authenticates the user.
nSAML request—The authentication request that is generated when a user tries to access the Aruba Central
portal.
nSAML Assertion—The authentication and authorization information issued by the IdP to allow access to the
service offered by the service (Aruba Central portal).
nRelying Party—The business service that relies on SAML assertion for authenticating a user; For example,
Aruba Central.
nAsserting Party—The Identity management system or the IdP that creates SAML assertions for a service
provider.
nMetadata—Data in the XML format that is exchanged between the trusted partners (IdP and Aruba
Central)for establishing interoperability.
nSAML attributes—The attributes associated with the user; for example, username, customer ID, role, and
group in which the devices belonging to a user account are provisioned. The SAML attributes must be
configured on the IdP according to specifications associated with a user account in Aruba Central. These
attributes are included in the SAML assertion when Aruba Central sends a SAML request to the IdP.
nEntity ID—A unique string to identify the service provider that issues a SAML SSO request. According to the
SAML specification, the string should be a URL, although not required as a URLby all providers.
nAssertion Services Consumer URL—The URL that sends the SAML request and receives the SAML response
from the IdP.
nUser—User with SSO credentials.
Aruba Central SAML SSO solution supports only the HTTP Redirect POST method for sending and receiving SAML
requests and response.
Aruba Central | Solution Guide Configuring SAML SSO for Aruba Central | 8
9| Configuring SAML SSO for Aruba Central Aruba Central | Solution Guide
The SAML SSO integration allows federated users to access only the Central UI. The API Gateway access is restricted
to system users that are configured and managed from Aruba Central.
How It Works
Aruba Central supports the following types of SAML SSO workflows:
nSP-initiated SSO
nIdP-initiated SSO
SP-initiated SSO
In an SP Initiated SSO workflow, the SSO request originates from the service provider domain, that is, from
Aruba Central. When a user tries to access Aruba Central, a federation authentication request is created and
sent to the IdP server.
The following figure illustrates the standard SP-Initiated SAML SSO workflow:
Figure 1 SP-Initiated SSO
The SP-initiated SSO workflow with Aruba Central is supported only through the HTTP Redirect POST method.
In other words, Aruba Central sends an HTTP redirect message with an authentication request to the IdP
through the user's browser. The IdP sends a SAML response with an assertion to Aruba Central through HTTP
POST.
The SP-initiated SSO workflow with HTTP Redirect POST includes the following steps:
1. The user tries to access Aruba Central and the request is redirected to the IdP.
2. Aruba Central sends an HTTP redirect message with the SAML request to the IdP for authentication
through the user's browser.
3. The user logs in with the SSO credentials.
4. On successful authentication, the IdP sends a digitally signed HTML form with SAML assertion and
attributes to Aruba Central through the web browser.
5. If the digital signature and the attributes in the SAML assertion are valid, Aruba Central allows access to
the user.
IdP-initiated SSO
In the IdP-Initiated workflow, the SSO request originates from the IdP domain. The IdP server creates a SAML
response and redirects the users to Aruba Central.
The Aruba Central SAML SSO deployments support the IdP-initiated SSO workflow through the HTTP POST
method. The IdP-initiated SSO workflow consists of the following steps:
1. The user is logged in to the IdP and tries to access Aruba Central.
2. The IdP sends a digitally signed HTML form with SAML assertion and attributes to Aruba Central through
the web browser.
3. If the digital signature and the attributes in the SAML assertion are valid, Aruba Central allows access to
the user.
The following figure illustrates the standard IdP-Initiated SAML SSO workflow:
Figure 2 IdP-Initiated SSO
SAML Single Logout
Aruba Central supports Single Logout (SLO)of SAML SSO users. SLO allows users to terminate server sessions
established using SAML SSO by initiating the logout process once. SAML SLO can be initiated either from the
Service Provider or the IdP. However, Aruba Central supports only the IdP-initiated SLO.
IdP-initiated SAML SLO
The IdP-initiated logout workflow includes the following steps:
1. User logs out of the IdP.
2. The IdP sends a logout request to Aruba Central.
3. Aruba Central validates the logout request from the IdP, terminates the user session, and sends a logout
response to the IdP.
4. User is logged out of Aruba Central.
5. After the IdP receives logout response from all service providers, the IdP logs out the user.
Aruba Central | Solution Guide Configuring SAML SSO for Aruba Central | 10
11 | Configuring SAML SSO for Aruba Central Aruba Central | Solution Guide
Configuration Steps
The SAML SSO configuration for Aruba Central includes the following steps:
1. Configuring user accounts and roles in Aruba Central. For more information, see the Managing User
Access topic in Aruba Central Help Center.
2. Configure SAML authorization profile in Aruba Central.
3. Configuring Service Provider metadata such as metadata URL, service consumer URL, Name and other
attributes on the IdP server.
Configuring SAML Authorization Profiles in Aruba Central
For SAML SSO solution with Aruba Central, you must configure a valid SAML authorization profile in the Aruba
Central portal.
Important Points to Note
nThe SAML authorization profile configuration feature is available only for the admin users of an Aruba
Central account. Aruba Central allows only MSP admin users to configure SAML authorization profiles for
their respective tenant accounts.
nEach domain can have only one federation. There must be at least one verified user belonging to the
domain in the system users' list.
nAruba Central allows only one authorization profile per domain.
nSAML user access is determined by the role attribute included in the SAML token provided by the IdP.
nSAML users with admin privileges can configure system users in Aruba Central.
nSAML users can initiate a Single Sign On request by trying to log in to Aruba Central (SP-initiated login).
However, SAML users cannot initiate a single logout request from Aruba Central.
nThe following menu options in Aruba Central UI are not available for a SAML user.
lEnable MSP and Disable MSP—SAML users cannot enable or disable MSP deployment mode in Aruba
Central.
lChange PasswordAruba Central does not support changing the password of a SAML user account.
Before You Begin
Before you begin, ensure that you have the following information:
nEntity IDA unique string that identifies the service provider that issues a SAML SSO request. According to
the SAML specification, the string should be a URL, although not required as URLby all providers.
nLogin URL—Login URL configured on the IdP server.
nLogout URLLogout URL configured on the IdP server.
nCertificate details—SAML signing certificate in the Base64 encoded format. The SAML signing certificates are
required for verifying the identity of IdP server and relying applications such as Aruba Central.
nMetadata URL—Service provider metadata URLconfigured on the IdP server.
SAML profiles can also be configured using NB APIs. If you want to use NBAPIs for configuring SAML profiles, use the
APIs available under the SSO Configuration category in Aruba Central API Gateway.
Configuring a SAML Authorization Profile
To configureSAML authorization profiles in Aruba Central:
1. In the Account Home page, under Global Settings, click Single Sign On. The Single Sign On page is
displayed.
2. To add an authorization profile, enter the domain name.
Ensure that the domain has at least one verified user.
For public cloud deployments, Aruba Central does not support adding hpe.com,arubanetworks.com and other free
public domain names, such as Gmail.com, Yahoo.com, or Facebook.com, for SAML authorization profiles.
3. Click Add SAML Profile.
4. To manually enter the metadata:
a. Select Manual Setting and enter the following information:
nEntity IDEntity ID configured on the IdP server.
nLogin URL—Login URL configured on the IdP server.
nLogout URL—Login URL configured on the IdP server.
nCertificate—Certificate details. Ensure that the certificate content is in the Base64 encoded format.
You can either upload a certificate or paste the contents of the certificate in the text box.
Ensure that the Entity ID, Login URL, and Logout URL fields have valid HTTPS URLs.
b. Click Save.
Aruba Central | Solution Guide Configuring SAML SSO for Aruba Central | 12
13 | Configuring SAML SSO for Aruba Central Aruba Central | Solution Guide
The following shows an example for the manual entry of metadata:
Figure 3 Manual Addition of Metadata
5. If you have already configured the IdP server and downloaded the metadata file, you can upload the
metadata file. To upload a metadata file:
a. Select Metadata File. Ensure that the metadata file is in the XML format and it includes valid
certificate content and HTTPS URLs for the Entity ID, Login URL, and Logout URL fields.
b. Click Browse and select the IdP metadata file. Aruba Central extracts the Entity ID,Login URL,
Logout URL, and certificate contents.
c. Verify the details.
d. Click Save.
The following shows an example for content imported from a metadata file:
Figure 4 Importing Information from a Metadata File
Configuring Service Provider Metadata in IdP
Aruba Central supports SAML SSO authentication framework with various Identity Management vendors such
as ADFS,PingFederate,Aruba ClearPass Policy Manager, and so on.
Aruba recommends that you look up the instructions provided by your organization for adding service
provider metadata to the IdP server in your setup.
Some of the generic and necessary attributes required to be configured on the IdP server for SAML integration
with Aruba Central are described in the following list:
nMetadata URLURL that provides service provider metadata.
Aruba Central | Solution Guide Configuring SAML SSO for Aruba Central | 14
15 | Configuring SAML SSO for Aruba Central Aruba Central | Solution Guide
nEntity IDA unique string that identifies the service provider that issues a SAML SSO request. According to
the SAML specification, the string should be a URL, although not required as URLby all providers.
nAssertion Services Consumer URLThe URL that sends SAML SSO login requests and receives
authentication response from the IdP.
nNameIDThe NameID attribute must include the email address of the user.
<NameID>johnnyadmin1@adfsaruba.com</NameID>
nIf the NameID attribute does not return the email address of the user, you can use the aruba_user_email
attribute. Ensure that you configure the NameID or the aruba_user_email attribute for each user.
nSAML Attributes—The following example shows the syntax structure for SAML attributes:
#customer 1
aruba_1_cid = <customer-id>
# app1, scope1
aruba_1_app_1 = central
aruba_1_app_1_role_1 = <readonly>
aruba_1_app_1_role_1_tenant = <admin>
aruba_1_app_1_group_1 = groupx, groupy
aruba_1_app_2 = device_profiling
aruba_1_app_2_role_1 = <readonly>
aruba_1_app_3 = account_setting
aruba_1_app_3_role_1 = <readonly>
#customer 2
aruba_2_cid = <customer-id>
# app1, scope1
aruba_2_app_1 = central
aruba_2_app_1_role_1 = <readonly>
aruba_2_app_1_role_1_tenant = <admin>
aruba_2_app_1_group_1 = groupx, groupy
aruba_2_app_2 = device_profiling
aruba_2_app_2_role_1 = <readonly>
aruba_2_app_3 = account_setting
aruba_2_app_3_role_1 = <readonly>
Note the following points when defining SAML attributes in the IdP server:
lcidCustomer ID. If you have multiple customers, define attributes separately for each customer ID.
lappApplication. Set the value as per the following:
lNetwork Operationscentral
lClear Pass Device Insight—device_profiling
lAccount Homeaccount_setting
lroleUser role. Specify the user role. If no role is defined, Aruba Central assigns read-only role to the
user.
ltenant roleTenant user role. If the tenant role is not defined in the IdP, the MSP role is assigned to
the SAML user.
lgroup—Group in Aruba Central. When a group is specified in the attribute, the user is allowed to access
only the devices in that group. If the attribute does not include any group, Aruba Central allows SAML
SSO users to access all groups. You can also configure custom attributes to add multiple groups if the
user requires access to multiple groups.
Aruba Central recommends you to configure the Account Home. However, If you do not return the Account Home
application from the Idp, then the Network Operations role is applied by default.
See Also:
nConfiguring Service Provider Metadata in Microsoft ADFS on page 16
nConfiguring Service Provider Metadata in PingFederate IdP on page 23
nConfiguring Service Provider Metadata in ArubaClearPass Policy Manager on page 29
Configuring Service Provider Metadata in Microsoft ADFS
This procedure describes the steps required for configuring service provider metadata in Microsoft Active
Directory Federation Services (ADFS) for SAML integration with Aruba Central.
ADFS runs on Windows Servers and provides users with SSO access to application services hosted by the
trusted service providers.
This topic provides a basic set of guidelines required for setting up the ADFS instance on a Windows Server 2016 as
an IdP. The images used in this procedure may change with Windows Server updates.
Before you Begin
nGo through the SAML SSO feature description to understand how SAML framework works in the context of
Aruba Central.
nEnsure that the ADFSis installed and available for configuration on a Windows server. For more
information, see the ADFSDeployment Guide.
nEnsure that an Active Directory security group is configured and the users are added as group members. For
more information, see the ADFSDeployment Guide.
Steps to Configure Service Provider Metadata in ADFS
To enable SAML integration with ADFS, complete the following steps:
nStep 1Adding a Relying Party Trust
nStep 2Configure the Name IDAttribute
nStep 3Configure the Customer IDAttribute
nStep 4Configure the Application Attribute
nStep 5Configure the Role Attribute
nStep 6Configure the Group Attribute
nStep 7Configure the Logout URL
nStep 8—Exporting Token-signing Certificate
nStep 9SAML Authorization Profile in Aruba Central
Step 1—Adding a Relying Party Trust
To configure Aruba Central and ADFSas trusted partners:
1. On Windows Server, click Start > Administrative Tools > AD FS Management. The ADFS
administrative console opens.
2. Click AD FS folder and select Add Relying Party Trust from the Actions menu.
3. Select Enter data about the relying party manually.
Aruba Central | Solution Guide Configuring SAML SSO for Aruba Central | 16
17 | Configuring SAML SSO for Aruba Central Aruba Central | Solution Guide
4. Click Next.
5. Enter a Display Name. The name entered here will be displayed in the management console and to the
users logging in to Aruba Central.
6. Click Next.
7. Select AD FS Profile and then click Next.
8. Select Enable support for the SAML 2.0 WebSSO protocol check box and enter the consumer URL
that you want to use for sending SAML SSO login requests and receiving SAML response from the IdP.
9. Click Next.
10. Add Aruba Central URL as the relying party trust identifier.
11. Click Next.
12. Select the preferred security setting. You can select Permit all users to access this relying party
option to permit access to all users.
13. Click Close.
14. Verify if Aruba Central is added to the list of relying party trust.
Step 2Configure the Name IDAttribute
The Name ID attribute is used for user identification. For SAMLintegration with Aruba Central, the Name
IDattribute must include the email address of the user. If the Name ID attribute does not return the email
address of the user, use the aruba_user_email attribute.
To configure the Name-ID attribute:
1. Select the display name you just added for Aruba Central and click Edit Claim Issuance Policy.
2. In the Edit Claim Issuance Policy window, click Add Rule.
3. Set the Claim Rule template to Send LDAP Attributes as Claims rule.
4. Click Next.
5. In the Claim rule name text box, enter Name-ID.
6. Select the LDAP as the Attribute store.
7. Select the User-Principal-Name as LDAP attribute and Name IDfor the Outgoing Claim Type.
8. Click Finish.
Step 3Configure the Customer IDAttribute
To create a rule with the customer IDattribute:
1. In the Edit Claim Issuance Policy window, click Add Rule.
2. To send a claim based on a user's Active Directory group membership, set the Claim Rule template to
Send Group Membership as a Claim.
3. Click Next.
4. In the Claim rule name text box, enter the customer ID attribute. For example, aruba-cid.
5. Select a user group.
Aruba Central | Solution Guide Configuring SAML SSO for Aruba Central | 18
19 | Configuring SAML SSO for Aruba Central Aruba Central | Solution Guide
6. Click OK.
7. Select a customer IDattribute for the Outgoing claim rule and enter a value for the Outgoing claim
value.
8. Click Finish.
9. If you have multiple customers, define the customer ID attribute separately for each customer ID.
Step 4Configure the Application Attribute
To add a rule for the application attribute:
1. In the Edit Claim Issuance Policy window, click Add Rule.
2. To send a claim based on a user's Active Directory group membership, set the Claim Rule template to
Send Group Membership as a Claim.
3. Click Next.
4. In the Claim rule name text box, enter the application attribute. For example, Aruba Central App
Name.
5. Select a user group.
6. Select the application attribute for Outgoing claim type and enter a value for the Outgoing claim
value.
7. Click Finish.
Step 5Configure the Role Attribute
To add a rule for a role attribute:
1. In the Edit Claim Issuance Policy window, click Add Rule.
2. To send a claim based on a user's Active Directory group membership, set the Claim Rule template to
Send Group Membership as a Claim.
3. Click Next.
4. In the Claim rule name text box, enter the application attribute. For example, Aruba Central App
Role.
5. Select a user group.
6. Select the role attribute for Outgoing claim type and enter a value for the Outgoing claim value.
Aruba Central | Solution Guide Configuring SAML SSO for Aruba Central | 20
/