Configuring Service Provider Metadata in IdP

Aruba Central supports SAMLSecurity Assertion Markup Language. SAML is an XML-based framework for communicating user authentication, entitlement, and attribute information. SAML enables single sign-on by allowing users to authenticate at an identity provider and then access service providers without additional authentication. SSOSingle Sign-On. SSO is an access-control property that allows the users to log in once to access multiple related, but independent applications or systems to which they have privileges. The process authenticates the user across all allowed resources during their session, eliminating additional login prompts. authentication framework with various Identity Management vendors such as ADFS, PingFederate, Aruba ClearPass Policy Manager, and so on.

Aruba recommends that you look up the instructions provided by your organization for adding service provider metadata to the IdP server in your setup.

Some of the generic and necessary attributes required to be configured on the IdP server for SAML integration with Aruba Central are described in the following list:

Metadata URL—URLUniform Resource Locator. URL is a global address used for locating web resources on the Internet. that provides service provider metadata.

Entity ID—A unique string that identifies the service provider that issues a SAML SSO request. According to the SAML specification, the string should be a URL, although not required as URL by all providers.

Assertion Services Consumer URL—The URL that sends SAML SSO login requests and receives authentication response from the IdP.

NameID—The NameID attribute must include the email address of the user.

<NameID>johnnyadmin1@adfsaruba.com</NameID>

If the NameID attribute does not return the email address of the user, you can use the aruba_user_email attribute. Ensure that you configure the NameID or the aruba_user_email attribute for each user.

SAML Attributes—The following example shows the syntax structure for SAML attributes:

#customer 1 # app1, scope1 aruba_1_app_1 = central aruba_1_app_1_role_1 = <readonly> aruba_1_app_1_group_1 = [groupx, groupy] aruba_1_app_2 = account_setting aruba_1_app_2_role_1 = <readonly>

#customer 2 # app1, scope1 aruba_2_app_1 = central aruba_2_app_1_role_1 = <readonly> aruba_2_app_1_group_1 = groupx, groupy aruba_2_app_2 = account_setting aruba_2_app_2_role_1 = <readonly>

Note the following points when defining SAML attributes in the IdP server:

cid—Customer ID. If you have multiple customers, define attributes separately for each customer ID.

app—Application. Set the value to as per the following:

Network Operations—central

Account Home—account_setting

role—User role. Specify the user role. If no role is defined, Aruba Central assigns read-only role to the user.

group—Group in Aruba Central. When a group is specified in the attribute, the user is allowed to access only the devices in that group. If the attribute does not include any group, Aruba Central allows SAML SSO users to access all groups. You can also configure custom attributes to add multiple groups if the user requires access to multiple groups.

Aruba Central recommends you to configure the Account Home. However, If you do not return the Account Home application from the Idp, then the Network Operations role is applied by default.