Aruba Central User guide

Aruba Central

SAML Configuration

Open Source Code

This product includes code licensed under the GNU General Public License, the GNU Lesser General

Public License, and/or certain other open source licenses. A complete machine-readable copy of the

source code corresponding to such code is available upon request. This offer is valid to anyone in

receipt of this information and shall expire three years following the date of the final distribution of

this product version by Hewlett Packard Enterprise Company. To obtain such source code, send a

check or money order in the amount of US $10.00 to:

Hewlett Packard Enterprise Company

6280 America Center Drive

San Jose, CA 95002

USA

Contents

Contents 3

About this Document 5

Intended Audience 5

Related Documents

For more information on Aruba Central, see Aruba Central Online Help Center. To access help center, click the

help icon in the Aruba Central UI.

Conventions

The following conventions are used throughout this guide to emphasize important concepts:

Type Style Description

Italics This style is used to emphasize important terms and to mark the titles of books.

System items This fixed-width font depicts the following:

nSample screen output

nSystem prompts

Bold nKeys that are pressed

nText typed into a GUI element

nGUI elements that are clicked or selected

Table 1: Typographical Conventions

The following informational icons are used throughout this guide:

Indicates helpful suggestions, pertinent information, and important things to remember.

Indicates a risk of damage to your hardware or loss of data.

SAML SSO | Solution Guide 5

Conventions | 6

Indicates a risk of personal injury or death.

Terminology Change

As part of advancing HPE's commitment to racial justice, we are taking a much-needed step in overhauling

HPE engineering terminology to reflect our belief system of diversity and inclusion. Some legacy products

and publications may continue to include terminology that seemingly evokes bias against specific groups of

people. Such content is not representative of our HPE culture and moving forward, Aruba will replace

racially insensitive terms and instead use the following new language:

Usage Old Language New Language

Campus Access Points + Controllers Master-Slave Conductor-Member

Instant Access Points Master-Slave Conductor-Member

Switch Stack Master-Slave Conductor-Member

Wireless LAN Controller Mobility Master Mobility Conductor

Firewall Configuration Blacklist, Whitelist Denylist, Allowlist

Types of Hackers Black Hat, White Hat Unethical, Ethical

Contacting Support

Main Site arubanetworks.com

Support Site asp.arubanetworks.com

Airheads Social Forums and Knowledge

Base

community.arubanetworks.com

North American Telephone 1-800-943-4526 (Toll Free)

1-408-754-1200

International Telephone arubanetworks.com/support-services/contact-support/

Software Licensing Site lms.arubanetworks.com

End-of-life Information arubanetworks.com/support-services/end-of-life/

Security Incident Response Team Site: arubanetworks.com/support-services/security-bulletins/

Email: aruba-sirt@hpe.com

Table 2: Contact Information

Chapter 2

Configuring SAML SSO for Aruba Central

The SSO solution simplifies user management by allowing users to access multiple applications and services

with a single set of login credentials. If the applications services are offered by different vendors, IT

administrators can use the SAMLauthentication and authorization framework to provide a seamless login

experience for their users.

To provide seamless login experience for users whose identity is managed by an external authentication

source, Aruba Central now offers a federated SSO solution based on the SAML 2.0 authentication and

authorization framework. SAML is an XML-based open standard for exchanging authentication and

authorization data between trusted partners; in particular, between an application service provider and

identity management system used by an enterprise. With Aruba Central's SAML SSOsolution, organizations

can manage user access using a single authentication and authorization source.

SAML SSO Solution Overview

The SAML SSO solution consists of the following key elements:

nService Provider (SP)—The provider of a business function or service; For example, Aruba Central. The

service provider requests and obtains an identity assertion from the IdP. Based on this assertion, the

service provider allows a user to access the service.

nIdentity Provider (IdP)—The Identity Management system that maintains identity information of the

user and authenticates the user.

nSAML Request—The authentication request that is generated when a user tries to access the Aruba

Central portal.

nSAML Assertion—The authentication and authorization information issued by the IdP to allow access to

the service offered by the service (Aruba Central portal).

nRelying Party—The business service that relies on SAML assertion for authenticating a user; For

example, Aruba Central.

nAsserting Party—The Identity management system or the IdP that creates SAML assertions for a

service provider.

nMetadata—Data in the XML format that is exchanged between the trusted partners (IdP and Aruba

Central)for establishing interoperability.

nSAML Attributes—The attributes associated with the user; for example, username, customer ID, role,

and group in which the devices belonging to a user account are provisioned. The SAML attributes must be

configured on the IdP according to specifications associated with a user account in Aruba Central. These

attributes are included in the SAML assertion when Aruba Central sends a SAML request to the IdP.

nEntity ID—A unique string to identify the service provider that issues a SAML SSO request. According to

the SAML specification, the string should be a URL, although not required as a URLby all providers.

nAssertion Services Consumer URL—The URL that sends the SAML request and receives the SAML

response from the IdP.

nUser—User with SSO credentials.

SAML SSO | Solution Guide 7

SAML SSO Solution Overview | 8

nAruba Central SAML SSO solution supports only the HTTP Redirect POST method for sending and receiving

SAML requests and response.

nThe SAML SSO integration allows federated users to access only the Central UI. The API Gateway access is

restricted to system users that are configured and managed from Aruba Central.

How SAML SSO Works

Aruba Central supports the following types of SAML SSO workflows:

nSP-initiated SSO

nIdP-initiated SSO

SP-initiated SSO

In an SP Initiated SSO workflow, the SSO request originates from the service provider domain, that is, from

Aruba Central. When a user tries to access Aruba Central, a federation authentication request is created and

sent to the IdP server.

The following figure illustrates the standard SP-Initiated SAML SSO workflow:

Figure 1 SP-Initiated SSO

The SP-initiated SSO workflow with Aruba Central is supported only through the HTTP Redirect POST

method. In other words, Aruba Central sends an HTTP redirect message with an authentication request to

the IdP through the user's browser. The IdP sends a SAML response with an assertion to Aruba Central

through HTTP POST.

The SP-initiated SSO workflow with HTTP Redirect POST includes the following steps:

1. The user tries to access Aruba Central and the request is redirected to the IdP.

2. Aruba Central sends an HTTP redirect message with the SAML request to the IdP for authentication

through the user's browser.

SAML SSO | Solution Guide 9

3. The user logs in with the SSO credentials.

4. On successful authentication, the IdP sends a digitally signed HTML form with SAML assertion and

attributes to Aruba Central through the web browser.

5. If the digital signature and the attributes in the SAML assertion are valid, Aruba Central allows access

to the user.

IdP-initiated SSO

In the IdP-Initiated workflow, the SSO request originates from the IdP domain. The IdP server creates a

SAML response and redirects the users to Aruba Central.

The Aruba Central SAML SSO deployments support the IdP-initiated SSO workflow through the HTTP POST

method. The IdP-initiated SSO workflow consists of the following steps:

1. The user is logged in to the IdP and tries to access Aruba Central.

2. The IdP sends a digitally signed HTML form with SAML assertion and attributes to Aruba Central

through the web browser.

3. If the digital signature and the attributes in the SAML assertion are valid, Aruba Central allows access

to the user.

The following figure illustrates the standard IdP-Initiated SAML SSO workflow:

Figure 2 IdP-Initiated SSO

SAML SSO Single Logout

Aruba Central supports Single Logout (SLO)of SAML SSO users. SLO allows users to terminate server

sessions established using SAML SSO by initiating the logout process once. SAML SLO can be initiated either

from the Service Provider or the IdP. However, Aruba Central supports only the IdP-initiated SLO.

IdP-initiated SAML SLO

The IdP-initiated logout workflow includes the following steps:

Configuring SAML Authorization Profiles in Aruba Central | 10

1. User logs out of the IdP.

2. The IdP sends a logout request to Aruba Central.

3. Aruba Central validates the logout request from the IdP, terminates the user session, and sends a

logout response to the IdP.

4. User is logged out of Aruba Central.

5. After the IdP receives logout response from all service providers, the IdP logs out the user.

Configuring SAML SSO

The SAML SSO configuration for Aruba Central includes the following steps:

1. Configuring user accounts and roles in Aruba Central. For more information, see the Managing User

Access topic in Aruba Central Help Center.

2. Configure SAML authorization profile in Aruba Central.

3. Configuring Service Provider metadata such as metadata URL, service consumer URL, Name and

other attributes on the IdP server.

Configuring SAML Authorization Profiles in Aruba

Central

For SAML SSO solution with Aruba Central, you must configure a valid SAML authorization profile in the

Aruba Central portal.

Important Points to Note

Following are the important points to note about the SAML authorization in Aruba Central:

nThe SAML authorization profile configuration feature is available only for the admin users of an Aruba

Central account. Aruba Central allows only MSP admin users to configure SAML authorization profiles for

their respective tenant accounts.

nEach domain can have only one federation. There must be at least one verified user belonging to the

domain in the system users' list.

nAruba Central allows only one authorization profile per domain.

nSAML user access is determined by the role attribute included in the SAML token provided by the IdP.

nSAML users with admin privileges can configure system users in Aruba Central.

nSAML users can initiate a Single Sign On request by trying to log in to Aruba Central (SP-initiated login).

However, SAML users cannot initiate a single logout request from Aruba Central.

nThe following menu options in Aruba Central UI are not available for a SAML user.

oEnable MSP and Disable MSP—SAML users cannot enable or disable MSP deployment mode in

Aruba Central.

oChange Password—Aruba Central does not support changing the password of a SAML user account.

Before You Begin

Before you begin, ensure that you have the following information:

nEntity ID—A unique string that identifies the service provider that issues a SAML SSO request. According

to the SAML specification, the string should be a URL, although not required as URLby all providers.

SAML SSO | Solution Guide 11

nLogin URL—Login URL configured on the IdP server.

nLogout URL—Logout URL configured on the IdP server.

nCertificate Details—SAML signing certificate in the Base64 encoded format. The SAML signing

certificates are required for verifying the identity of IdP server and relying applications such as Aruba

Central.

nMetadata URL—Service provider metadata URLconfigured on the IdP server.

SAML profiles can also be configured using NB APIs. If you want to use NBAPIs for configuring SAML profiles,

use the APIs available under the SSO Configuration category in Aruba Central API Gateway.

Configuring a SAML Authorization Profile

To configurethe SAML authorization profiles in Aruba Central, complete the following steps:

1. In the Account Home page, under Global Settings, click Single Sign On. The Single Sign On page

is displayed.

2. To add an authorization profile, enter the domain name.

nEnsure that the domain has at least one verified user.

nFor public cloud deployments, Aruba Central does not support adding hpe.com,

arubanetworks.com and other free public domain names, such as Gmail.com, Yahoo.com, or

Facebook.com, for SAML authorization profiles.

3. Click Add SAML Profile.

4. To manually enter the metadata:

a. Select Manual Setting and enter the following information:

nEntity ID—Entity ID configured on the IdP server.

nLogin URL—Login URL configured on the IdP server.

nLogout URL—Login URL configured on the IdP server.

nCertificate—Certificate details. Ensure that the certificate content is in the Base64 encoded

format. You can either upload a certificate or paste the contents of the certificate in the text

box.

Ensure that the Entity ID, Login URL, and Logout URL fields have valid HTTPS URLs.

b. Click Save.

The following figure shows an example for the manual entry of metadata:

Configuring SAML Authorization Profiles in Aruba Central | 12

Figure 3 Manual Addition of Metadata

5. If you have already configured the IdP server and downloaded the metadata file, you can upload the

metadata file. To upload a metadata file:

a. Select Metadata File. Ensure that the metadata file is in the XML format and it includes valid

certificate content and HTTPS URLs for the Entity ID, Login URL, and Logout URL fields.

b. Click Browse and select the IdP metadata file. Aruba Central extracts the Entity ID,Login URL,

Logout URL, and certificate content.

c. Verify the details.

d. Click Save.

The following figure shows an example for the content imported from a metadata file:

SAML SSO | Solution Guide 13

Figure 4 Importing Information from a Metadata File

Configuring Service Provider Metadata in IdP

Aruba Central supports SAML SSO authentication framework with various Identity Management vendors

such as ADFS,PingFederate,Aruba ClearPass Policy Manager, and so on.

Aruba recommends that you look up the instructions provided by your organization for adding service

provider metadata to the IdP server in your setup.

Some of the generic and necessary attributes required to be configured on the IdP server for SAML

integration with Aruba Central are described in the following list:

Configuring Service Provider Metadata in IdP | 14

nMetadata URL—URL that provides service provider metadata.

nEntity ID—A unique string that identifies the service provider that issues a SAML SSO request. According

to the SAML specification, the string should be a URL, although not required as URLby all providers.

nAssertion Services Consumer URL—The URL that sends SAML SSO login requests and receives

authentication response from the IdP.

nNameID—The NameID attribute must include the email address of the user.

<NameID>johnnyadmin1@adfsaruba.com</NameID>

If the NameID attribute does not return the email address of the user, you can use the aruba_user_

email attribute. Ensure that you configure the NameID or the aruba_user_email attribute for each

user.

nSAML Attributes—The following example shows the syntax structure for SAML attributes:

#customer 1

aruba_1_cid = <customer-id>

# app1, scope1

aruba_1_app_1 = central

aruba_1_app_1_role_1 = <readonly>

aruba_1_app_1_role_1_tenant = <admin>

aruba_1_app_1_group_1 = groupx, groupy

aruba_1_app_2 = device_profiling

aruba_1_app_2_role_1 = <readonly>

aruba_1_app_3 = account_setting

aruba_1_app_3_role_1 = <readonly>

#customer 2

aruba_2_cid = <customer-id>

# app1, scope1

aruba_2_app_1 = central

aruba_2_app_1_role_1 = <readonly>

aruba_2_app_1_role_1_tenant = <admin>

aruba_2_app_1_group_1 = groupx, groupy

aruba_2_app_2 = device_profiling

aruba_2_app_2_role_1 = <readonly>

aruba_2_app_3 = account_setting

aruba_2_app_3_role_1 = <readonly>

Note the following points when defining SAML attributes in the IdP server:

ncid—Customer ID. If you have multiple customers, define attributes separately for each customer ID.

napp—Application. Set the value as per the following:

oNetwork Operations—central

oClear Pass Device Insight—device_profiling

oAccount Home—account_setting

nrole—User role. Specify the user role. If no role is defined, Aruba Central assigns read-only role to the

user.

ntenant role—Tenant user role. If the tenant role is not defined in the IdP, the MSP role is assigned to

the SAML user.

ngroup—Group in Aruba Central. When a group is specified in the attribute, the user is allowed to access

only the devices in that group. If the attribute does not include any group, Aruba Central allows SAML

SAML SSO | Solution Guide 15

SSO users to access all groups. You can also configure custom attributes to add multiple groups if the

user requires access to multiple groups.

Aruba Central recommends you to configure the Account Home. However, If you do not return the Account

Home application from the Idp, then the Network Operations role is applied by default.

See Also:

nConfiguring Service Provider Metadata in Microsoft ADFS

nConfiguring Service Provider Metadata in PingFederate IdP

nConfiguring Service Provider Metadata in ArubaClearPass Policy Manager

Configuring Service Provider Metadata in Microsoft

ADFS

This procedure describes the steps required for configuring service provider metadata in Microsoft Active

Directory Federation Services (ADFS) for SAML integration with Aruba Central.

ADFS runs on Windows Servers and provides users with SSO access to application services hosted by the

trusted service providers.

This topic provides a basic set of guidelines required for setting up the ADFS instance on a Windows Server

2016 as an IdP. The images used in this procedure may change with Windows Server updates.

Before you Begin

nGo through the SAML SSO feature description to understand how SAML framework works in the context

of Aruba Central.

nEnsure that the ADFSis installed and available for configuration on a Windows server. For more

information, see the ADFSDeployment Guide.

nEnsure that an Active Directory security group is configured and the users are added as group members.

For more information, see the ADFSDeployment Guide.

Steps to Configure Service Provider Metadata in ADFS

To enable SAML integration with ADFS, complete the following steps:

nStep 1:Adding a Relying Party Trust

nStep 2:Configure the Name IDAttribute

nStep 3:Configure the Customer IDAttribute

nStep 4:Configure the Application Attribute

nStep 5:Configure the Role Attribute

nStep 6:Configure the Group Attribute

nStep 7:Configure the Logout URL

nStep 8:Exporting Token-signing Certificate

nStep 9:SAML Authorization Profile in Aruba Central

Configuring Service Provider Metadata in Microsoft ADFS | 16

Step 1:Adding a Relying Party Trust

To configure Aruba Central and ADFSas trusted partners, complete the following steps:

1. On Windows Server, click Start > Administrative Tools > AD FS Management. The ADFS

administrative console opens.

2. Click AD FS folder and select Add Relying Party Trust from the Actions menu.

Figure 5 AD FS Management

3. Select Enter data about the relying party manually.

4. Click Next.

5. Enter a Display Name. The name entered here will be displayed in the management console and to

the users logging in to Aruba Central.

6. Click Next.

7. Select AD FS Profile and then click Next.

8. Select Enable support for the SAML 2.0 WebSSO protocol check box and enter the consumer

URL that you want to use for sending SAML SSO login requests and receiving SAML response from

the IdP.

Figure 6 Enabling Support for SAML 2.0 WebSSO Protocol

9. Click Next.

10. Add Aruba Central URL as the relying party trust identifier.

Figure 7 Adding Replying Party Trust Identifier

11. Click Next.

12. Select the preferred security setting. You can select Permit all users to access this relying party

option to permit access to all users.

SAML SSO | Solution Guide 17

13. Click Close.

14. Verify if Aruba Central is added to the list of relying party trust.

Step 2:Configure the Name IDAttribute

The Name ID attribute is used for user identification. For SAMLintegration with Aruba Central, the Name

IDattribute must include the email address of the user. If the Name ID attribute does not return the email

address of the user, use the aruba_user_email attribute.

To configure the Name-ID attribute:

1. Select the display name you just added for Aruba Central and click Edit Claim Issuance Policy.

2. In the Edit Claim Issuance Policy window, click Add Rule.

3. Set the Claim Rule template to Send LDAP Attributes as Claims rule.

4. Click Next.

5. In the Claim rule name text box, enter Name-ID.

Figure 8 Adding Claim Rule Name

6. Select the LDAP as the Attribute store.

7. Select the User-Principal-Name as LDAP attribute and Name IDfor the Outgoing Claim Type.

8. Click Finish.

Step 3:Configure the Customer IDAttribute

To create a rule with the customer IDattribute:

1. In the Edit Claim Issuance Policy window, click Add Rule.

2. To send a claim based on a user's Active Directory group membership, set the Claim Rule template to

Send Group Membership as a Claim.

3. Click Next.

4. In the Claim rule name text box, enter the customer ID attribute. For example, aruba-cid.

Configuring Service Provider Metadata in Microsoft ADFS | 18

5. Select a user group.

Figure 9 Selecting a User Group

6. Click OK.

7. Select a customer IDattribute for the Outgoing claim rule and enter a value for the Outgoing

claim value.

SAML SSO | Solution Guide 19

Figure 10 Configuring Claim Rule Details

8. Click Finish.

9. If you have multiple customers, define the customer ID attribute separately for each customer ID.

Step 4:Configure the Application Attribute

To add a rule for the application attribute, complete the following steps:

1. In the Edit Claim Issuance Policy window, click Add Rule.

2. To send a claim based on a user's Active Directory group membership, set the Claim Rule template to

Send Group Membership as a Claim.

3. Click Next.

4. In the Claim rule name text box, enter the application attribute. For example, Aruba Central App

Name.

5. Select a user group.

6. Select the application attribute for Outgoing claim type and enter a value for the Outgoing claim

value.

Configuring Service Provider Metadata in Microsoft ADFS | 20

Figure 11 Configuring the Application Attribute

7. Click Finish.

Step 5:Configure the Role Attribute

To add a rule for a role attribute, complete the following steps:

1. In the Edit Claim Issuance Policy window, click Add Rule.

2. To send a claim based on a user's Active Directory group membership, set the Claim Rule template to

Send Group Membership as a Claim.

3. Click Next.

4. In the Claim rule name text box, enter the application attribute. For example, Aruba Central App

Role.

5. Select a user group.

6. Select the role attribute for Outgoing claim type and enter a value for the Outgoing claim value.

Figure 12 Configuring the Role Attribute

Aruba Central, Central 2.5.3 SAML SSO Solution User guide