For SAMLSecurity Assertion Markup Language. SAML is an XML-based framework for communicating user authentication, entitlement, and attribute information. SAML enables single sign-on by allowing users to authenticate at an identity provider and then access service providers without additional authentication. SSOSingle Sign-On. SSO is an access-control property that allows the users to log in once to access multiple related, but independent applications or systems to which they have privileges. The process authenticates the user across all allowed resources during their session, eliminating additional login prompts. solution with Aruba Central, you must configure a valid SAML authorization profile in the Aruba Central portal.
Important Points to Note
The SAML authorization profile configuration feature is available only for the admin users of an Aruba Central account.
Each domain can have only one federation. There must be at least one verified user belonging to the domain in the system users' list.
Aruba Central allows only one authorization profile per domain.
SAML user access is determined by the role attribute included in the SAML token provided by the IdP.
SAML users with admin privileges can configure system users in Aruba Central.
SAML users can initiate a Single Sign On request by trying to log in to Aruba Central (SP-initiated login). However, SAML users cannot initiate a single logout request from Aruba Central.
The following menu options in Aruba Central UI are not available for a SAML user.
—Aruba Central does not support changing the password of a SAML user account.
Before You Begin
Before you begin, ensure that you have the following information:
Entity ID—A unique string that identifies the service provider that issues a SAML SSO request. According to the SAML specification, the string should be a URLUniform Resource Locator. URL is a global address used for locating web resources on the Internet., although not required as URL by all providers.
Login URL—Login URL configured on the IdP server.
Logout URL—Logout URL configured on the IdP server.
Certificate details—SAML signing certificate in the Base64 encoded format. The SAML signing certificates are required for verifying the identity of IdP server and relying applications such as Aruba Central.
Metadata URL—Service provider metadata URL configured on the IdP server.
|
|
SAML profiles can also be configured using NB APIsApplication Programming Interface. Refers to a set of functions, procedures, protocols, and tools that enable users to build application software.. If you want to use NB APIs for configuring SAML profiles, use the APIs available under the category in Aruba Central API Gateway. |
Configuring a SAML Authorization Profile
To configure SAML authorization profiles in Aruba Central:
1. In the page, under , click . The page opens.
2. To add an authorization profile, enter the domain name.
|
|
Ensure that the domain has at least one verified user. For public cloud deployments, Aruba Central does not support adding , and other free public domain names, such as Gmail.com, Yahoo.com, or Facebook.com, for SAML authorization profiles. |
3. Click .
4. To manually enter the metadata:
a. Select and enter the following information:
—Entity ID configured on the IdP server.
—Login URL configured on the IdP server.
—Login URL configured on the IdP server.
—Certificate details. Ensure that the certificate content is in the Base64 encoded format. You can either upload a certificate or paste the contents of the certificate in the text box.
|
|
Ensure that the Entity ID, Login URL, and Logout URL fields have valid HTTPSHypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. URLs. |
b. Click .
The following shows an example for the manual entry of metadata:
Figure 1 Manual Addition of Metadata
5. If you have already configured the IdP server and downloaded the metadata file, you can upload the metadata file. To upload a metadata file:
a. Select . Ensure that the metadata file is in the XMLExtensible Markup Language. XML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. format and it includes valid certificate content and HTTPS URLs for the Entity ID, Login URL, and Logout URL fields.
b. Click and select the IdP metadata file. Aruba Central extracts the , , , and certificate contents.
c. Verify the details.
d. Click .
The following shows an example for content imported from a metadata file:
Figure 2 Importing Information from a Metadata File
