Aruba Central

SAML Configuration

Solution Guide
Copyright Information
© Copyright 2020 Hewlett Packard Enterprise Development LP.
Open Source Code
This product includes code licensed under the GNU General Public License, the GNU Lesser General
Public License, and/or certain other open source licenses. A complete machine-readable copy of the
source code corresponding to such code is available upon request. This offer is valid to anyone in
receipt of this information and shall expire three years following the date of the final distribution of
this product version by Hewlett Packard Enterprise Company. To obtain such source code, send a
check or money order in the amount of US $10.00 to:
Hewlett Packard Enterprise Company
6280 America Center Drive
San Jose, CA 95002
USA
 Contents

Contents

Contents 3
About this Document 4
Intended Audience 4
Related Documents 4

Conventions 4
Terminology Change 4
Contacting Support 5
Configuring SAML SSO for Aruba Central 6
SAML SSO Solution Overview 6
How SAML SSO Works 7
Configuring SAML SSO 9

Configuring SAML Authorization Profiles in Aruba Central 9

Important Points to Note 9
Before You Begin 9
Configuring a SAML Authorization Profile 10

Configuring Service Provider Metadata in IdP 12

Configuring Service Provider Metadata in Microsoft ADFS 14
Configuring Service Provider Metadata in PingFederate IdP 21
Configuring Service Provider Metadata in ArubaClearPass Policy Manager 28
Configuring Service Provider Metadata in G Suite 32

Viewing Federated Users in Aruba Central 42

Viewing Audit Logs for Federated Users in Aruba Central 42
Converting System Users to Federated Users 43
Before you Begin 43
Migrating Aruba Central Web Application Users to Federated User Profiles 43
Enabling NB API Access for Federated Users 44

Troubleshooting SAML SSO Authentication Issues 44

Installing SAML Tracer on Web Browsers 44
Viewing SAML Trace Logs 44
Troubleshooting Tips for Most Common Errors 45

Aruba Central | Solution Guide 3

 Chapter 1
About this Document

About this Document

This document describes how to configure Security Assertion Markup Language (SAML) Single Sign On
(SSO) solution for Aruba Central.

Intended Audience
This guide is intended for the IT administrators who manage user access for the Aruba Central portal and the
IT administrators who manage application access for the users in their organizations
Aruba recommends that the users of this document familiarize themselves with the SAML SSO concepts
before enabling SAML SSO support on Aruba Central.

Related Documents
For more information on Aruba Central, see Aruba Central Help Center —To access help center, click the help

icon in the Aruba Central UI.

Conventions
The following conventions are used throughout this guide to emphasize important concepts:

Table 1: Typographical Conventions

Type Style Description

Italics This style is used to emphasize important terms and to mark the titles of books.

System items This fixed-width font depicts the following:

n Sample screen output
n System prompts

Bold n Keys that are pressed

n Text typed into a GUI element
n GUI elements that are clicked or selected

The following informational icons are used throughout this guide:

nIndicates helpful suggestions, pertinent information, and important things to remember.

nIndicates a risk of damage to your hardware or loss of data.
nIndicates a risk of personal injury or death.

Terminology Change
As part of advancing HPE's commitment to racial justice, we are taking a much-needed step in overhauling
HPE engineering terminology to reflect our belief system of diversity and inclusion. Some legacy products
and publications may continue to include terminology that seemingly evokes bias against specific groups of

Aruba Central | Solution Guide 4

people. Such content is not representative of our HPE culture and moving forward, Aruba will replace
racially insensitive terms and instead use the following new language:

Usage Old Language New Language

Campus Access Master-Slave Conductor-Member

Points +
Controllers

Instant Access Master-Slave Conductor-Member

Points

Switch Stack Master-Slave Conductor-Member

Wireless LAN Mobility Master Mobility Conductor

Controller

Firewall Blacklist, Whitelist Denylist, Allowlist

Configuration

Types of Black Hat, White Hat Unethical, Ethical

Hackers

Contacting Support
Table 2: Contact Information

Main Site arubanetworks.com

Support Site support.arubanetworks.com

Airheads Social Forums and Knowledge community.arubanetworks.com

Base

North American Telephone 1-800-943-4526 (Toll Free)

1-408-754-1200

International Telephone arubanetworks.com/support-services/contact-support/

Software Licensing Site lms.arubanetworks.com

End-of-life Information arubanetworks.com/support-services/end-of-life/

Security Incident Response Team Site: arubanetworks.com/support-services/security-bulletins/

Email: [email protected]

Contacting Support | 5
 Chapter 2
Configuring SAML SSO for Aruba Central

Configuring SAML SSO for Aruba Central

The Single Sign On (SSO) solution simplifies user management by allowing users to access multiple
applications and services with a single set of login credentials. If the applications services are offered by
different vendors, IT administrators can use the SAML authentication and authorization framework to
provide a seamless login experience for their users.
To provide seamless login experience for users whose identity is managed by an external authentication
source, Aruba Central now offers a federated SSO solution based on the SAML 2.0 authentication and
authorization framework. SAML is an XML-based open standard for exchanging authentication and
authorization data between trusted partners; in particular, between an application service provider and
identity management system used by an enterprise. With Aruba Central's SAML SSO solution, organizations
can manage user access using a single authentication and authorization source.

SAML SSO Solution Overview

The SAML SSO solution consists of the following key elements:

n Service Provider (SP)—The provider of a business function or service; For example, Aruba Central. The
service provider requests and obtains an identity assertion from the IdP. Based on this assertion, the
service provider allows a user to access the service.
n Identity Provider (IdP)—The Identity Management system that maintains identity information of the user
and authenticates the user.
n SAML request—The authentication request that is generated when a user tries to access the Aruba Central
portal.
n SAML Assertion—The authentication and authorization information issued by the IdP to allow access to the
service offered by the service (Aruba Central portal).
n Relying Party—The business service that relies on SAML assertion for authenticating a user; For example,
Aruba Central.
n Asserting Party—The Identity management system or the IdP that creates SAML assertions for a service
provider.
n Metadata—Data in the XML format that is exchanged between the trusted partners (IdP and Aruba
Central) for establishing interoperability.
n SAML attributes—The attributes associated with the user; for example, username, customer ID, role, and
group in which the devices belonging to a user account are provisioned. The SAML attributes must be
configured on the IdP according to specifications associated with a user account in Aruba Central. These
attributes are included in the SAML assertion when Aruba Central sends a SAML request to the IdP.
n Entity ID—A unique string to identify the service provider that issues a SAML SSO request. According to the
SAML specification, the string should be a URL, although not required as a URL by all providers.
n Assertion Services Consumer URL—The URL that sends the SAML request and receives the SAML response
from the IdP.
n User—User with SSO credentials.

Aruba Central | Solution Guide 6

 Aruba Central SAML SSO solution supports only the HTTP Redirect POST method for sending and
receiving SAML requests and response.
The SAML SSO integration allows federated users to access only the Central UI. The API Gateway
access is restricted to system users that are configured and managed from Aruba Central.

How SAML SSO Works

Aruba Central supports the following types of SAML SSO workflows:

n SP-initiated SSO
n IdP-initiated SSO

SP-initiated SSO
In an SP Initiated SSO workflow, the SSO request originates from the service provider domain, that is, from
Aruba Central. When a user tries to access Aruba Central, a federation authentication request is created and
sent to the IdP server.
The following figure illustrates the standard SP-Initiated SAML SSO workflow:

Figure 1 SP-Initiated SSO

The SP-initiated SSO workflow with Aruba Central is supported only through the HTTP Redirect POST
method. In other words, Aruba Central sends an HTTP redirect message with an authentication request to
the IdP through the user's browser. The IdP sends a SAML response with an assertion to Aruba Central
through HTTP POST.
The SP-initiated SSO workflow with HTTP Redirect POST includes the following steps:

1. The user tries to access Aruba Central and the request is redirected to the IdP.
2. Aruba Central sends an HTTP redirect message with the SAML request to the IdP for authentication
through the user's browser.
3. The user logs in with the SSO credentials.
4. On successful authentication, the IdP sends a digitally signed HTML form with SAML assertion and
attributes to Aruba Central through the web browser.

SAML SSO Solution Overview | 7

 5. If the digital signature and the attributes in the SAML assertion are valid, Aruba Central allows access
to the user.

IdP-initiated SSO
In the IdP-Initiated workflow, the SSO request originates from the IdP domain. The IdP server creates a
SAML response and redirects the users to Aruba Central.
The Aruba Central SAML SSO deployments support the IdP-initiated SSO workflow through the HTTP POST
method. The IdP-initiated SSO workflow consists of the following steps:

1. The user is logged in to the IdP and tries to access Aruba Central.
2. The IdP sends a digitally signed HTML form with SAML assertion and attributes to Aruba Central
through the web browser.
3. If the digital signature and the attributes in the SAML assertion are valid, Aruba Central allows access
to the user.

The following figure illustrates the standard IdP-Initiated SAML SSO workflow:

Figure 2 IdP-Initiated SSO

SAML SSO Single Logout

Aruba Central supports Single Logout (SLO) of SAML SSO users. SLO allows users to terminate server
sessions established using SAML SSO by initiating the logout process once. SAML SLO can be initiated either
from the Service Provider or the IdP. However, Aruba Central supports only the IdP-initiated SLO.

IdP-initiated SAML SLO

The IdP-initiated logout workflow includes the following steps:

1. User logs out of the IdP.

2. The IdP sends a logout request to Aruba Central.
3. Aruba Central validates the logout request from the IdP, terminates the user session, and sends a
logout response to the IdP.

Aruba Central | Solution Guide 8

 4. User is logged out of Aruba Central.
5. After the IdP receives logout response from all service providers, the IdP logs out the user.

Configuring SAML SSO

The SAML SSO configuration for Aruba Central includes the following steps:

1. Configuring user accounts and roles in Aruba Central. For more information, see the Managing User
Access topic in Aruba Central Help Center.
2. Configure SAML authorization profile in Aruba Central.
3. Configuring Service Provider metadata such as metadata URL, service consumer URL, Name and
other attributes on the IdP server.

Configuring SAML Authorization Profiles in Aruba

Central
For SAML SSO solution with Aruba Central, you must configure a valid SAML authorization profile in the
Aruba Central portal.

Important Points to Note

n The SAML authorization profile configuration feature is available only for the admin users of an Aruba
Central account. Aruba Central allows only MSP admin users to configure SAML authorization profiles for
their respective tenant accounts.
n Each domain can have only one federation. There must be at least one verified user belonging to the
domain in the system users' list.
n Aruba Central allows only one authorization profile per domain.
n SAML user access is determined by the role attribute included in the SAML token provided by the IdP.
n SAML users with admin privileges can configure system users in Aruba Central.
n SAML users can initiate a Single Sign On request by trying to log in to Aruba Central (SP-initiated login).
However, SAML users cannot initiate a single logout request from Aruba Central.
n The following menu options in Aruba Central UI are not available for a SAML user.
o Enable MSP and Disable MSP—SAML users cannot enable or disable MSP deployment mode in Aruba
Central.
o Change Password—Aruba Central does not support changing the password of a SAML user account.

Before You Begin

Before you begin, ensure that you have the following information:

n Entity ID—A unique string that identifies the service provider that issues a SAML SSO request. According to
the SAML specification, the string should be a URL, although not required as URL by all providers.
n Login URL—Login URL configured on the IdP server.
n Logout URL—Logout URL configured on the IdP server.
n Certificate details—SAML signing certificate in the Base64 encoded format. The SAML signing certificates

Configuring SAML Authorization Profiles in Aruba Central | 9

 are required for verifying the identity of IdP server and relying applications such as Aruba Central.
n Metadata URL—Service provider metadata URL configured on the IdP server.

SAML profiles can also be configured using NB APIs. If you want to use NB APIs for configuring SAML
profiles, use the APIs available under the SSO Configuration category in Aruba Central API Gateway.

Configuring a SAML Authorization Profile

To configure SAML authorization profiles in Aruba Central:

1. In the Account Home page, under Global Settings, click Single Sign On. The Single Sign On page
is displayed.
2. To add an authorization profile, enter the domain name.

Ensure that the domain has at least one verified user.

For public cloud deployments, Aruba Central does not support adding hpe.com,
arubanetworks.com and other free public domain names, such as Gmail.com, Yahoo.com, or
Facebook.com, for SAML authorization profiles.

3. Click Add SAML Profile.

4. To manually enter the metadata:
a. Select Manual Setting and enter the following information:
n Entity ID—Entity ID configured on the IdP server.
n Login URL—Login URL configured on the IdP server.
n Logout URL—Login URL configured on the IdP server.
n Certificate—Certificate details. Ensure that the certificate content is in the Base64 encoded format.
You can either upload a certificate or paste the contents of the certificate in the text box.

Ensure that the Entity ID, Login URL, and Logout URL fields have valid HTTPS URLs.

b. Click Save.
The following shows an example for the manual entry of metadata:

Aruba Central | Solution Guide 10

 Figure 3 Manual Addition of Metadata

5. If you have already configured the IdP server and downloaded the metadata file, you can upload the
metadata file. To upload a metadata file:
a. Select Metadata File. Ensure that the metadata file is in the XML format and it includes valid certificate
content and HTTPS URLs for the Entity ID, Login URL, and Logout URL fields.

b. Click Browse and select the IdP metadata file. Aruba Central extracts the Entity ID, Login URL,
Logout URL, and certificate contents.

c. Verify the details.

d. Click Save.
The following shows an example for content imported from a metadata file:

Configuring SAML Authorization Profiles in Aruba Central | 11

 Figure 4 Importing Information from a Metadata File

Configuring Service Provider Metadata in IdP

Aruba Central supports SAML SSO authentication framework with various Identity Management vendors
such as ADFS, PingFederate, Aruba ClearPass Policy Manager, and so on.
Aruba recommends that you look up the instructions provided by your organization for adding service
provider metadata to the IdP server in your setup.
Some of the generic and necessary attributes required to be configured on the IdP server for SAML
integration with Aruba Central are described in the following list:

Aruba Central | Solution Guide 12

n Metadata URL—URL that provides service provider metadata.
n Entity ID—A unique string that identifies the service provider that issues a SAML SSO request. According
to the SAML specification, the string should be a URL, although not required as URL by all providers.
n Assertion Services Consumer URL—The URL that sends SAML SSO login requests and receives
authentication response from the IdP.
n NameID—The NameID attribute must include the email address of the user.
n <NameID>[email protected]</NameID>
n If the NameID attribute does not return the email address of the user, you can use the aruba_user_email
attribute. Ensure that you configure the NameID or the aruba_user_email attribute for each user.
n SAML Attributes—The following example shows the syntax structure for SAML attributes:

#customer 1
aruba_1_cid = <customer-id>
# app1, scope1
aruba_1_app_1 = central
aruba_1_app_1_role_1 = <readonly>
aruba_1_app_1_role_1_tenant = <admin>
aruba_1_app_1_group_1 = groupx, groupy
aruba_1_app_2 = device_profiling
aruba_1_app_2_role_1 = <readonly>
aruba_1_app_3 = account_setting
aruba_1_app_3_role_1 = <readonly>

#customer 2
aruba_2_cid = <customer-id>
# app1, scope1
aruba_2_app_1 = central
aruba_2_app_1_role_1 = <readonly>
aruba_2_app_1_role_1_tenant = <admin>
aruba_2_app_1_group_1 = groupx, groupy
aruba_2_app_2 = device_profiling
aruba_2_app_2_role_1 = <readonly>
aruba_2_app_3 = account_setting
aruba_2_app_3_role_1 = <readonly>

Note the following points when defining SAML attributes in the IdP server:

n cid—Customer ID. If you have multiple customers, define attributes separately for each customer ID.
n app—Application. Set the value as per the following:
o Network Operations—central
o Clear Pass Device Insight—device_profiling
o Account Home—account_setting
n role—User role. Specify the user role. If no role is defined, Aruba Central assigns read-only role to the user.
n tenant role—Tenant user role. If the tenant role is not defined in the IdP, the MSP role is assigned to the
SAML user.
n group—Group in Aruba Central. When a group is specified in the attribute, the user is allowed to access
only the devices in that group. If the attribute does not include any group, Aruba Central allows SAML SSO
users to access all groups. You can also configure custom attributes to add multiple groups if the user
requires access to multiple groups.

Configuring Service Provider Metadata in IdP | 13

 Aruba Central recommends you to configure the Account Home. However, If you do not return the
Account Home application from the Idp, then the Network Operations role is applied by default.

See Also:

n Configuring Service Provider Metadata in Microsoft ADFS on page 14

n Configuring Service Provider Metadata in PingFederate IdP on page 21
n Configuring Service Provider Metadata in ArubaClearPass Policy Manager on page 28

Configuring Service Provider Metadata in Microsoft ADFS

This procedure describes the steps required for configuring service provider metadata in Microsoft Active
Directory Federation Services (ADFS) for SAML integration with Aruba Central.
ADFS runs on Windows Servers and provides users with SSO access to application services hosted by the
trusted service providers.

This topic provides a basic set of guidelines required for setting up the ADFS instance on a Windows
Server 2016 as an IdP. The images used in this procedure may change with Windows Server updates.

Before you Begin

n Go through the SAML SSO feature description to understand how SAML framework works in the context of
Aruba Central.
n Ensure that the ADFS is installed and available for configuration on a Windows server. For more
information, see the ADFS Deployment Guide.
n Ensure that an Active Directory security group is configured and the users are added as group members.
For more information, see the ADFS Deployment Guide.

Steps to Configure Service Provider Metadata in ADFS

To enable SAML integration with ADFS, complete the following steps:

n Step 1—Adding a Relying Party Trust

n Step 2—Configure the Name ID Attribute
n Step 3—Configure the Customer ID Attribute
n Step 4—Configure the Application Attribute
n Step 5—Configure the Role Attribute
n Step 6—Configure the Group Attribute
n Step 7—Configure the Logout URL
n Step 8—Exporting Token-signing Certificate
n Step 9—SAML Authorization Profile in Aruba Central

Step 1—Adding a Relying Party Trust

To configure Aruba Central and ADFS as trusted partners:

1. On Windows Server, click Start > Administrative Tools > AD FS Management. The ADFS
administrative console opens.

Aruba Central | Solution Guide 14

 2. Click AD FS folder and select Add Relying Party Trust from the Actions menu.

3. Select Enter data about the relying party manually.

4. Click Next.
5. Enter a Display Name. The name entered here will be displayed in the management console and to
the users logging in to Aruba Central.

6. Click Next.
7. Select AD FS Profile and then click Next.
8. Select Enable support for the SAML 2.0 WebSSO protocol check box and enter the consumer
URL that you want to use for sending SAML SSO login requests and receiving SAML response from
the IdP.

9. Click Next.
10. Add Aruba Central URL as the relying party trust identifier.

11. Click Next.

12. Select the preferred security setting. You can select Permit all users to access this relying party
option to permit access to all users.

Configuring Service Provider Metadata in IdP | 15

 13. Click Close.
14. Verify if Aruba Central is added to the list of relying party trust.

Step 2—Configure the Name ID Attribute

The Name ID attribute is used for user identification. For SAML integration with Aruba Central, the Name
ID attribute must include the email address of the user. If the Name ID attribute does not return the email
address of the user, use the aruba_user_email attribute.
To configure the Name-ID attribute:

1. Select the display name you just added for Aruba Central and click Edit Claim Issuance Policy.
2. In the Edit Claim Issuance Policy window, click Add Rule.
3. Set the Claim Rule template to Send LDAP Attributes as Claims rule.

4. Click Next.
5. In the Claim rule name text box, enter Name-ID.

6. Select the LDAP as the Attribute store.

7. Select the User-Principal-Name as LDAP attribute and Name ID for the Outgoing Claim Type.
8. Click Finish.

Step 3—Configure the Customer ID Attribute

To create a rule with the customer ID attribute:

1. In the Edit Claim Issuance Policy window, click Add Rule.

2. To send a claim based on a user's Active Directory group membership, set the Claim Rule template to
Send Group Membership as a Claim.

3. Click Next.

Aruba Central | Solution Guide 16

4. In the Claim rule name text box, enter the customer ID attribute. For example, aruba-cid.
5. Select a user group.

6. Click OK.
7. Select a customer ID attribute for the Outgoing claim rule and enter a value for the Outgoing
claim value.

8. Click Finish.

Configuring Service Provider Metadata in IdP | 17

 9. If you have multiple customers, define the customer ID attribute separately for each customer ID.

Step 4—Configure the Application Attribute

To add a rule for the application attribute:

1. In the Edit Claim Issuance Policy window, click Add Rule.

2. To send a claim based on a user's Active Directory group membership, set the Claim Rule template to
Send Group Membership as a Claim.

3. Click Next.
4. In the Claim rule name text box, enter the application attribute. For example, Aruba Central App
Name.
5. Select a user group.
6. Select the application attribute for Outgoing claim type and enter a value for the Outgoing claim
value.

7. Click Finish.

Step 5—Configure the Role Attribute

To add a rule for a role attribute:

1. In the Edit Claim Issuance Policy window, click Add Rule.

2. To send a claim based on a user's Active Directory group membership, set the Claim Rule template to
Send Group Membership as a Claim.

Aruba Central | Solution Guide 18

 3. Click Next.
4. In the Claim rule name text box, enter the application attribute. For example, Aruba Central App
Role.
5. Select a user group.
6. Select the role attribute for Outgoing claim type and enter a value for the Outgoing claim value.

7. Click Finish.

If the role attribute is not configured, Aruba Central assigns a read-only role to the user.

Step 6—Configure the Group Attribute

If you want to restrict user access to a group in Aruba Central, you can configure the group attribute. If the
group attribute is not configured, Aruba Central allows SAML SSO users to access all groups.
To add a rule for a group attribute:

1. In the Edit Claim Issuance Policy window, click Add Rule.

2. To send a claim based on a user's Active Directory group membership, set the Claim Rule template to
Send Group Membership as a Claim.
3. Click Next.
4. In the Claim rule name text box, enter the application attribute. For example, Aruba Central App
Group.
5. Select a user group.
6. Select a group attribute for Outgoing claim type and enter a value for the Outgoing claim value.
7. Click Finish.

Step 7—Configure the Logout URL

To enable IdP-initiated logout:

Configuring Service Provider Metadata in IdP | 19

 1. Select the relying party trust entry created for Aruba Central and click Properties.
2. Click Endpoints.
3. To add a logout URL, click Add SAML.
4. Select the endpoint type as SAML Logout.
5. Select Redirect for Binding.
6. Enter the Aruba Central logout URL for Trusted URL. Sample Trusted URL:
https://portal-yoda.arubathena.com/global_login/aaa_saml/adfsaruba.com?sls

7. Enter the IdP logout URL for Response URL.

8. Click OK.

Step 8—Exporting Token-signing Certificate

The token-signing certificate is required SAML authentication. To export the token-signing certificate:

1. In the ADFS management console, go to AD FS > Service > Certificates.

2. Click the certificate under Token-signing and select View Certificate from the contextual menu.

Aruba Central | Solution Guide 20

 3. Click Details > Copy to File.

4. Click Next and select Base-64 encoded X.509 (.CER) as the certificate format.
5. Click Next.
6. Save the certificate file on your local directory.

Step 9—SAML Authorization Profile in Aruba Central

For information on how to configure a SAML authorization profile, see Configuring SAML Authorization
Profiles in Aruba Central.

Configuring Service Provider Metadata in PingFederate IdP

This procedure describes the steps required for configuring service provider metadata in PingFederate.

This topic provides a basic set of guidelines required for service provider metadata on the
PingFederate server. The images and attributes may change with PingFederate software updates.

Configuring Service Provider Metadata in IdP | 21

 Before you Begin
Go through the SAML SSO feature description to understand how SAML framework works in the context of
Aruba Central.

Steps to Configure Service Provider Metadata in PingFederate

To configure service provider metadata in PingFederate, complete the following steps:

n Step 1—Create an SP Connection Profile

n Step 2—Configure Browser SSO Settings
n Step 3—Configure Credentials
n Step 4—Review Configuration
n Step 5—SAML Authorization Profile in Aruba Central

Step 1—Create an SP Connection Profile

1. Log in to the PingFederate administration console.
2. Click IdP Configuration > SP Connections > Create New. The SP Connections page opens.

3. In the Connection Type tab, select Browser SSO Profiles.

4. Click the General Info tab.

Aruba Central | Solution Guide 22

 5. Verify the Entity ID and select the logging mode.

6. Click Next. Configure the Browser SSO Settings.

Step 2—Configure Browser SSO Settings

1. On the SP Connections page in PingFederate administrative console, click Browser SSO.

2. Click Configure Browser SSO.

3. Select the following SAML profiles:
n Select IDP-INITITATED SSO
n Select SP-INITITATED SSO

Configuring Service Provider Metadata in IdP | 23

 4. Click Next. The Assertion Lifetime tab opens.
5. Click Next. The Assertion Creation page opens.
a. Click Configure Assertion Creation. The Assertion Creation wizard opens.

b. Click Next. The Attribute Contract page opens.

c. Add the SAML attributes in the SAML assertion. The IdP will send these attributes in the SAML Assertion.

Aruba Central | Solution Guide 24

d. Click Next. The Authentication Source Mapping tab opens.

e. Click Map New Adapter Instance. The adapter configuration screen opens.

f. Complete the following configuration steps:

g. Click Mapping Method and select a mapping option.

h. Click Attribute Sources and User Lookup

i. To add a data source, click Add Attribute Store and add the data store ID as shown in the following
figure:

Configuring Service Provider Metadata in IdP | 25

 j. Click Save.

6. On the SP Connections > Browser SSO Settings page, click Protocol Settings to configure the
Browser SSO Protocol Settings, SSO service URLs, and SAML bindings.

7. Click Configure Protocol Settings and complete the following steps:

a. Verify the Assertion Consumer Service URL. The endpoint URLs for Redirect and Post bindings are
both automatically populated from the metadata. If not, enter the URL manually. The URL will be the
same for both bindings.

b. Click Next. The Allowable SAML Bindings tab opens.

Aruba Central | Solution Guide 26

c. Select Post and Redirect.

d. Click Next. The Encryption Policy Settings tab opens.

e. Select None.

f. Click Next. Review the protocol setting.

g. Click Done.

Step 3—Configure Credentials

1. On the SP Connections page in the PingFederate administrative console, click Credentials
2. Click Configure Credentials.
3. Click Digital Signature Settings.
4. Select the certificate to use for digital signature in SAML messages.

Step 4—Review Configuration

To review the configuration, click the Activation & Summary tab.

Step 5—SAML Authorization Profile in Aruba Central

Configuring Service Provider Metadata in IdP | 27

 For information on how to configure a SAML authorization profile, see Configuring SAML Authorization
Profiles in Aruba Central.

Configuring Service Provider Metadata in ArubaClearPass

Policy Manager
This procedure describes the configuration steps required for setting up ArubaClearPass Policy Manager as
an IdP.

ClearPass must be synced to NTP along with any other SAML SPs and IdPs. If clocks are out of sync,
SAML will not function.

Before you Begin

n Go through the SAML SSO feature description to understand how SAML framework works in the context of
Aruba Central.
n Ensure that you have access to the ClearPass Policy Manager instance.
n Ensure that you have downloaded the SAML metadata from Aruba Central.

Steps to Configure ClearPass Policy Manager as an IdP

To configure ClearPass as an IdP for providing SAML authentication and authorization services to Aruba
Central, complete the following steps:

n Step 1—Configuring Enforcement Profile and Policies

n Step 2—Adding Roles
n Step 3—Mapping Roles to Enforcement Policies
n Step 4—Configuring an IdP Service
n Step 5—Uploading SP Metadata
n Step 6—Adding Local Users
n Step 7—Configuring SAML Authorization Profile in Aruba Central

Step 1—Configuring Enforcement Profile and Policies

To configure an enforcement profile:

1. Go to Configuration > Enforcement > Profiles.

2. Click Add to add a new enforcement profile. The Enforcement Profiles page is displayed.
3. In the Profile tab, select the template as Generic Application Enforcement from the Template
drop-down list.
4. Enter a name and description for the profile in the Name and Description fields.
5. In the Action field, click and select Accept from the given options.
6. Click Next. The Attributes tab is displayed.
7. Click to add the attributes name and attributes value in the Attributes Name and Attributes
Value fields. Ensure that you add Aruba-defined attributes and values. To know more about Aruba
defined attributes, see Configuring Service Provider Metadata in IdP.
8. Click Next. The Summary tab is displayed.

Aruba Central | Solution Guide 28

 9. In the Summary tab, check the information entered in the Profile and Attributes field and click
Save to save the enforcement profile.

To configure an enforcement policy:

1. Go to Configuration > Enforcement > Policies.

2. Click Add to add a new enforcement policy. The Enforcement Policies page is displayed.
3. Enter a name and description for the policies in the Name and Description fields.
4. In the Enforcement Type field, click and select Application.
5. From the Default Profile drop-down list, select the profile which you created.
6. Click Next. The Rules tab is displayed.
7. For configuring the rules, follow the steps mentioned in Step 3 below.
8. Click Next. The Summary tab is displayed.
9. In the Summary tab, check and validate the information and click Save to save the enforcement
policy.

Step 2—Adding Roles

To add a user role:

1. Go to Configuration > Identity > Roles. The Roles page is displayed.

2. To add a new role, click Add in the Roles page.

3. Enter the role name and description in the Name and Description fields and click Save to save the
role.

Step 3—Mapping Roles to Enforcement Policies

To map roles to enforcement policies:

1. Go to Configuration > Enforcement > Policies. The Enforcement Policies page is displayed.
2. Click and select the policy that you created.

Configuring Service Provider Metadata in IdP | 29

 3. Click the Rules tab and select Add rule to map a rule to the policy.
4. In the Rules Editor page, fill in the Type, Name, Operator, and Values as shown in the below
example figure.

5. In the Profile Names under Enforcement Profiles, select the profile that you created and click
Save.
6. Click Save.

Step 4—Configuring an IdP Service

To configure an IdP service:

1. Go to Configuration > Services. The Services Page is displayed.

2. From the Services page, click Add to add a new service.
3. In the Service tab, select Aruba Application Authentication as a type of authentication from the
Type drop-down list.
4. Enter a name Prefix and description for the services in the Name and Description fields
respectively. This prefix is used to name all of the services and enforcement policies/profiles created
by the wizard.
5. Optionally, you can enable the monitor mode and more options by clicking the Monitor Mode and
More Options check boxes. By default, both the check boxes are not selected.
6. From the Service Rule option, select ANY or All of the following conditions to match the
conditions.
7. You can define Type, Name, Operator, and Values for the condition by clicking and selecting from the
respective drop-down lists.
8. Click Next. The Authentication tab is displayed.
9. Select [Local User Repository] [Local SQL DB] as an authentication source from Authentication
Sources drop-down list.
10. Click Next. The Roles tab is displayed.
11. Keep the Roles tab to default values.
12. Click Next. The Enforcement tab is displayed.
13. Add an enforcement policy from the Enforcement Policy drop-down list.
14. Click Next. The Summary tab is displayed.
15. In the Summary tab, check if all the information in Service, Authentication, Roles , and
Enforcement fields are correct and click Save to save the service.

Aruba Central | Solution Guide 30

Step 5—Uploading SP Metadata
To upload SP metadata:

1. In the Account Home page, under Global Settings, click Single Sign On. The Single Sign On page
is displayed.
2. Select the SAML authorization profile configured for the ClearPass IdP service, click Show Metadata,
and download the metadata.
3. To upload SP metadata, go to Configuration > Identity > Single Sign-On (SSO).
4. Click SAML IdP Configuration tab, and click Add SP metadata.
5. Set the SP name as Aruba Central and select the metadata file and click Upload.

Step 6—Adding Local Users

To add local users:

1. Go to Configuration > Identity > Local Users. The Local Users page is displayed.
2. In the Local Users page, click Add. The Add Local User page is displayed.
3. Enter the user id, name, and password in their respective fields.
4. Enter the password again to verify password in the Verify Password field.
5. By default, the Enable User check box is selected.
6. Select the Change Password check box if you want to force change the password on next user
login. By default, the check box is not selected.
7. Select the role from the Role drop-down list and click Add to add the user. Below is an example figure

Configuring Service Provider Metadata in IdP | 31

 for adding user:

Step 7—Configuring SAML Authorization Profile in Aruba Central

For information on how to configure a SAML authorization profile, see Configuring SAML Authorization
Profiles in Aruba Central.

Configuring Service Provider Metadata in G Suite

This procedure describes the configuration steps required for setting up service provider metadata in G
Suite.

Before you Begin

n Go through the SAML SSO feature description to understand how SAML framework works in the context of
Aruba Central.
n Ensure that you have a domain and administrator privileges access to the G Suite. For more information,
see G Suite Admin Help.
n Ensure that you have a verified user in Aruba Central.
n Ensure that you have downloaded the SAML metadata from Aruba Central.

Steps to Configure Service Provider Metadata in Google Admin

Console.
To configure Google Admin Console for providing SAML authentication and authorization services to Aruba
Central, complete the following steps:

n Step 1—Add Custom Attributes

n Step 2—Add new user

Aruba Central | Solution Guide 32

n Step 3—Add values to custom attributes
n Step 4—Set up Custom SAML app
n Step 5—Turn on SSO to your new SAML app

Step 1—Add Custom Attributes

To add custom attributes in Google Admin:

1. In the Google Admin console, go to Users > More > Manage custom attributes. The Manage
user attributes page is displayed.
2. At the top right corner, click Add Custom Attribute.

Configuring Service Provider Metadata in IdP | 33

 3. In the Add custom fields pop-up window, configure the parameters as per the following table:

Parameter Description

Category Enter a name for the category you want to add.

Description Optionally, enter a description for the category.

Custom Configure the custom fields as per the following:

fields Name— Enter the label you want to display on the user’s account page.
Info type— Select one of the following from the drop-down list:
a. Text
b. Whole Number
c. Yes or No
d. Decimal number
e. Phone
f. Email
g. Date
Visibility— Select one of the following from the drop-down list:
a. Visible to user and admin
b. Visible to organization
No. of values— Select one of the following from the drop-down list:
a. Multi-Value
b. Single-value

NOTE: You cannot edit the info type and No. of values once you have created the
custom attribute.

NOTE: You can add multiple numbers of custom attributes in the Custom fields. Make
sure that you add the Aruba supported attributes in the Name field. For more information
on Aruba supported attributes, see Configuring Service Provider Metadata in IdP

4. Click Add to finish adding the custom attributes.

Step 2—Add new user

To add a new user in the Google Admin console:

1. In the Google Admin console, go to Users > Add new user. The Add new user page is displayed.
2. To add an image for the user, click Add photo and select the image file from the storage. You can also
add the image later if you do not have it ready.

Aruba Central | Solution Guide 34

 3. Fill the account information as per the following table:

Parameter Description

First name Enter the first name of the user.

Last name Enter the last name of the user.

Primary email Enter the primary email of the user.

Organization unit The field gets auto populated.

Secondary email Optionally, enter the secondary email of the user

Phone number Optionally, enter the phone number of the user.

4. You can either generate the password automatically by turning on the toggle button or enter the
password manually. By default, you have to enter the password manually. While creating the
password, make sure that the password is of at least 8 characters.
5. Optionally, turn on the toggle to ask the user to change the password at the next sign-in.
6. Click Add New User.

Step 3—Add values to custom attributes

You can add or update values for custom attributes on the User information page for an user. To add
values to custom attributes:

1. In the Google Admin console, click Users. The user page is displayed.

2. From the users list, find the user by using a filter or Search bar. For more information on how to find
the user, see Find a user account.
3. Click User information.

4. Click the Aruba-Attributes section to edit.

Configuring Service Provider Metadata in IdP | 35

 5. Add or change values to custom attributes as shown in the following example figure:

6. Click Save.

You can only assign roles to the user which are already existing and valid in Aruba Central. For more
information on roles, see Configuring User Roles.

Step 4—Set up Custom SAML app

To setup own custom SAML App:

1. Log in to G Suite. The Admin console is displayed.

2. From the Admin Console main screen, click Apps. The Apps page is displayed.

Aruba Central | Solution Guide 36

3. From the Apps screen, click SAML apps. The SAML apps page is displayed.

4. Click the + sign at the bottom of the screen to add a new SAML app (or, you can edit an existing one).
The Enable SSO for SAML Application window page is displayed.

5. Click Setup My Own Custom App.

The Google IdP Information window opens and the SSO URL and Entity ID fields automatically
populate.

Configuring Service Provider Metadata in IdP | 37

 6. Get the setup information needed using one of these methods:
a. Copy the SSO URL and Entity ID and download the Certificate.

b. Download the Idp metadata.

Aruba Central | Solution Guide 38

 7. In a separate browser tab or window, sign in to Aruba Central and enter the information you copied
in step 6 above into the appropriate SSO configuration page, then return to the Admin console. For
information on how to configure a SAML authorization profile, see Configuring SAML Authorization
Profiles in Aruba Central.
8. Click Next.
9. In the Basic Information for Your Custom App window, add an application name and description.
10. Optionally, upload a PNG or GIF file to serve as an icon for your custom app. The icon image should
be of size 256 x 256 pixels.

Configuring Service Provider Metadata in IdP | 39

 11. Click Next.
12. In Aruba Central, select the SAML authorization profile configured for the domain, click show meta
data, download the metadata, and return to the G Suite Admin console.
13. In the Service Provider Details window, enter an ACS URL, Entity ID, and Start URL (if needed)
for your custom app. These values are all provided from the downloaded metadata.
14. By default, the Signed Response check box is not selected.

Aruba Central | Solution Guide 40

 15. The Name ID and Name ID Format fields are automatically populated.

16. Click Next.

17. Optionally, click Add New Mapping and enter a new name for the attribute you want to map.
18. In the drop-down list, select the category and user attributes to map the attribute from the Google
profile.

19. Click Finish.

Step 5—Turn on SSO to your new SAML app

To turn on SSO in your SAML app:

Configuring Service Provider Metadata in IdP | 41

 1. In the Google Admin console, go to Apps > SAML apps and select the SAML app that you created.
2. At the top right corner of the gray box, click Edit Service.

3. To turn on or off a service for everyone in your organization, click On for everyone or Off for
everyone from the Service status option, and then click Save.

Viewing Federated Users in Aruba Central

If your Aruba Central account has SAML SSO users, Aruba Central displays these users as federated users.
To view a list of federated users in your account:

1. In the Account Home page, under Global Settings, click Users & Roles. The Users & Roles page
opens.
2. In the Users table, use the filter in User Type column to sort the table by federated users.

Viewing Audit Logs for Federated Users in Aruba

Central
The federated or the SAML SSO user activity is logged in Aruba Central as audit trails.
To view the audit logs for federated users:

1. In the Account Home page, under Global Settings, click Audit Trail. The Audit Trail page is
displayed.
2. To filter audit logs by federated user activity, click the filter in the Category column and select User
Activity.

Aruba Central | Solution Guide 42

 To view audit logs for the SAML authorization profiles, in the Audit Trail page, select SAML Profile
from the Classification filter.

Converting System Users to Federated Users

The system users in Aruba Central use the standard authentication method,
whereas the federated users sign in to Aruba Central using the SAML-based SSO authentication method.
If your business requires you to move system users from the standard authentication method to SAML-
based authentication, follow the steps described in this page:

Before you Begin

Check if the user is accessing Aruba Central application using the web application, API Gateway, or the
mobile app.

Aruba does not support SAML-Based SSO logins for Aruba Central API Gateway, Aruba Installer and
Aruba Central mobile apps; Hence, it is recommended that you do not convert the API Gateway and
mobile app user profiles to federated users.

Migrating Aruba Central Web Application Users to

Federated User Profiles
To move system users of the Aruba Central web application users to SAML-based authentication method:

1. Back up the user profiles in the domain that is being migrated to SAML-based authentication
framework. To view and create a backup of a list of existing user profiles, access the [GET]
/platform/rbac/v1/users NB API.
2. Restore the current users in the system along with role and scope information defined for each user.
To restore user profiles in bulk, use the [POST] /platform/rbac/v1/bulk_users API in the same
domain.
3. Validate the configuration for one user.
4. If the migration is successful, remove the remaining system users in the domain, by using one of the
following methods:
n In the Account Home page, under Global Settings, click Users & Roles. page in the UI, select the
user profile that you want to delete and click the delete icon.
n Access the [DELETE] /platform/rbac/v1/bulk_users API and adding user account names in
Parameters section.
Example

Param –
[
"[email protected]","[email protected]","[email protected]"
]

5. Ensure that there is at least one system admin user in the domain that you are migrating to SAML-
based SSO authentication framework.

Converting System Users to Federated Users | 43

 6. Validate the SSO workflow for the users that you just migrated to the SAML-based SSO
authentication method.

Enabling NB API Access for Federated Users

To enable NB API access for federated users:

1. Log in to Aruba Central web application using the SAML-based SSO authentication method
2. In the Account Home page, under Global Settings, click API Gateway.
3. Click My Apps& Tokens
4. Click + Add Apps & Tokens and generate an OAuth token.

For more information on generating tokens and API Gateway bootstrapping, see Aruba Central API Gateway
Documentation.

Troubleshooting SAML SSO Authentication Issues

This section provides troubleshooting guidelines and tips to help Aruba Central administrators to diagnose
and fix issues related to SAML SSO authentication.

Installing SAML Tracer on Web Browsers

To view SAML trace logs, you can install SAML Tracer on your web browsers. To install SAML Tracer:

n Mozilla FireFox— Go to https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/.

n Google Chrome—Go to https://chrome.google.com/webstore/category/extensions.

Viewing SAML Trace Logs

To view the SAML trace logs, open the SAML Tracer add-on in the web browser. SAML Tracer records all HTTP
requests sent or received by your browser. If the HTTP request contains SAML, the SAML tab in the SAML
Trace window records the trace logs.
For example, when the SAML user logs in, you can verify the SAML attributes that are recorded. Note the
key elements in the SAML attributes output when diagnosing a SAML authentication error.

<Subject> <NameID>[email protected]</NameID> <SubjectConfirmation

Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData InResponseTo="ONELOGIN_
f937f6f66c3d29c4713eee99e09fd31e23ae6fec"
NotOnOrAfter="2019-06-14T11:57:47.883Z"
Recipient="https://portal-yodaacdc.arubathena.com/global_login/aaa_
saml/adfsaruba.com?acs"
/> </SubjectConfirmation> </Subject> <Conditions NotBefore="2019-06-
14T11:52:47.881Z"
NotOnOrAfter="2019-06-14T12:52:47.881Z"
> <AudienceRestriction> <Audience>https://portal-yodaacdc.arubathena.com/global_
login/aaa_saml/adfsaruba.com/metadata</Audience>
</AudienceRestriction> </Conditions> <AttributeStatement>
<Attribute Name="aruba_1_cid">
<AttributeValue>ab8eeb91a8434025a3ecbdad9b8af705</AttributeValue> </Attribute>
<Attribute Name="aruba_1_app_1"> <AttributeValue>central</AttributeValue>

Aruba Central | Solution Guide 44

 </Attribute>
<Attribute Name="aruba_1_app_1_role_1"> <AttributeValue>admin</AttributeValue>
</Attribute>
<Attribute Name="aruba_1_app_1_role_1_tenant">
<AttributeValue>readonly</AttributeValue> </Attribute>

Troubleshooting Tips for Most Common Errors

Error 1— A blank page is displayed when the SAML user is
redirected to the IdP server
n Description: When a SAML user is redirected to the IdP server for authentication, the IdP server does not
return the SAML response and displays a blank page.
n Cause: This issue may occur when the Service Provider metadata for Aruba Central is not configured on
the IdP server.
n Resolution: Configure Service Provider metadata for your Aruba Central account in the IdP server.

Error 2— The SAML user is logged out of Aruba Central after logging
in to IdP
n Description: The SAML user gets logged out of Aruba Central after logging in to the IdP server and the
following error code is displayed in the browser:
n error_code=INVALID+EXTERNAL+AUTH+REQUEST
n Reason: This issue may occur when the customer ID for the SAML user is not successfully retrieved from
the IdP server.
n Solution: Verify the trace logs, check the IdP configuration for customer ID details, and ensure that the IdP
sends the correct customer ID.

<NameID>[email protected]</NameID> <SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData InResponseTo="ONELOGIN_
c000669424a538ea0f4793ec38dab3b57a635efb"
NotOnOrAfter="2019-06-14T10:06:20.153Z"
Recipient="https://compass.arubathena.com/global_login/aaa_saml/adfsaruba.com?acs"/>
</SubjectConfirmation> </Subject> <Conditions NotBefore="2019-06-14T10:01:20.151Z"
NotOnOrAfter="2019-06-14T11:01:20.151Z">
<AudienceRestriction>
<Audience>https://compass.arubathena.com/global_login/aaa_
saml/adfsaruba.com/metadata</Audience> </AudienceRestriction> </Conditions>
<AuthnStatement AuthnInstant="2019-06-14T10:01:19.749Z"
SessionIndex="_400366f7-75dc-4423-909c-2b3dc4e9fd9c"> <AuthnContext>

Error 3— The web browser displays an error message when a SAML

user is redirected to Aruba Central after logging in to IdP
n Description: The web browser displays the following error message when the SAML user logs into IdP and
is redirected to Aruba Central:

Troubleshooting SAML SSO Authentication Issues | 45

 error_code "FAILED EXTERNAL AUTH - SAML ACS PROCESSING"
message "NameID not found in the assertion of the Response"

n Cause: This issue may occur when the name-id attribute is not configured in the IdP server.
n Solution: Verify the trace logs, check the IdP configuration, and ensure that the name-id attribute maps to
the user's email address.

Error 4— The web browser displays a 404 error message when a

SAML user is redirected to Aruba Central after logging into IdP
n Description: The web browser displays the following error message when a SAML user is redirected to
Aruba Central after logging into IdP:

The requested URL was not found on the server. If you entered the URL manually
please check your spelling and try again.
status_code 404

n Cause: This issue may occur due to one of the following reasons:
o The name-id attribute does not contain user's email address.
o The app-id attribute is not configured as Central in IdP.
o The role attribute returned by the IdP is not configured in Aruba Central.
o The group attribute in the IdP server is mapped to a group that is not available in your Aruba Central
account.
o IdP returns a tenant role for the SAML user of a standalone enterprise account.
n Solution: Verify the trace logs, check your Aruba Central deployment setup and the IdP configuration, and
ensure that the correct values are configured for these attributes in the IdP server.

Error 5— Although the role attribute is not configured in IdP, the

SAML user is assigned a readonly role
n Description: Although the role attribute is not configured in the IdP server, the SAML user is assigned a
readonly role after logging in to Aruba Central.
n Cause: By default, Aruba Central assigns readonly role for SAML users if role attribute is not configured in
IdP.
n Solution: If you want the SAML user to have a specific role assigned, configure the role attribute for the
user in the IdP server.

Error 6— A SAML user was able to log in to Aruba Central earlier,

but cannot access Aruba Central now
n Description: The SAML user who was able to log in to Aruba Central earlier gets the following message
during login:

The requested URL was not found on the server. If you entered the URL manually
please check your spelling and try again.
status_code 404

Aruba Central | Solution Guide 46

 This issue is observed when the customer ID of a SAML user is changed from an MSP to its tenant or from a
tenant to its MSP in the IdP server.
n Cause: This issue occurs when the Aruba Central user database already has a user entry for the SAML user
who tries to log in to Aruba Central after the customer ID modification in the IdP server.
n Solution: In the Account Home page, under Global Settings click Users & Roles page and delete the
SAML user in Aruba Central. Verify if the user entry is removed from the user database.

Error 7— The web browser displays SAML authentication error

message when a SAML user tries to log in to Aruba Central
n Description: When a SAML user tries the log in to Aruba Central, the following error message is displayed:

FAILED EXTERNAL AUTH - SAML ACS PROCESSING

message 0 "invalid_response"

n Cause: This issue may occur due to certificate mismatch.

n Solution: Verify the SAML authorization profile configured in Aruba Central and ensure that the correct
certificate is uploaded.

Error 8— The Aruba Central login page is displayed for the SAML
user instead of the IdP login page
n Description: When a SAML user tries to access Aruba Central, the user is redirected to the Aruba Central
login page instead of the IdP login page.
n Cause: This issue may occur when the SAML user is configured as a system user in Aruba Central.
n Solution: If a SAML user is added as a system user in Aruba Central, delete the system user entry for the
user in Aruba Central.

Troubleshooting SAML SSO Authentication Issues | 47