• All Files
Aruba Central Online Help

Configuring Service Provider Metadata in Microsoft ADFS

This procedure describes the steps required for configuring service provider metadata in Microsoft Active DirectoryMicrosoft Active Directory. The directory server that stores information about a variety of things, such as organizations, sites, systems, users, shares, and other network objects or components. It also provides authentication and authorization mechanisms, and a framework within which related services can be deployed. Federation Services (ADFS) for SAMLSecurity Assertion Markup Language. SAML is an XML-based framework for communicating user authentication, entitlement, and attribute information. SAML enables single sign-on by allowing users to authenticate at an identity provider and then access service providers without additional authentication. integration with Aruba Central.

ADFS runs on Windows Servers and provides users with SSOSingle Sign-On. SSO is an access-control property that allows the users to log in once to access multiple related, but independent applications or systems to which they have privileges. The process authenticates the user across all allowed resources during their session, eliminating additional login prompts. access to application services hosted by the trusted service providers.

This topic provides a basic set of guidelines required for setting up the ADFS instance on a Windows Server 2016 as an IdP. The images used in this procedure may change with Windows Server updates.

Before you Begin

  • Go through the SAML SSO feature description to understand how SAML framework works in the context of Aruba Central.
  • Ensure that the ADFS is installed and available for configuration on a Windows server. For more information, see the ADFS Deployment Guide.
  • Ensure that an Active Directory security group is configured and the users are added as group members. For more information, see the ADFS Deployment Guide.

Steps to Configure Service Provider Metadata in ADFS

To enable SAML integration with ADFS, complete the following steps:

ClosedStep 1—Add a Relying Party Trust

To configure Aruba Central and ADFS as trusted partners:

  1. On Windows Server, click Start > Administrative Tools > AD FS Management. The ADFS administrative console opens.
  2. Click AD FS folder and select Add Relying Party Trust from the Actions menu.

  3. Select Enter data about the relying party manually.

  4. Click Next.
  5. Enter a Display Name. The name entered here will be displayed in the management console and to the users logging in to Aruba Central.

  6. Click Next.
  7. Select AD FS Profile and then click Next.
  8. Select Enable support for the SAML 2.0 WebSSO protocol check box and enter the consumer URLUniform Resource Locator. URL is a global address used for locating web resources on the Internet. that you want to use for sending SAML SSO login requests and receiving SAML response from the IdP.

  9. Click Next.
  10. Add Aruba Central URL as the relying party trust identifier.

  11. Click Next.
  12. Select the preferred security setting. You can select Permit all users to access this relying party option to permit access to all users.
  13. Click Close.
  14. Verify if Aruba Central is added to the list of relying party trust.
ClosedStep 2—Configure the Name ID Attribute

The Name ID attribute is used for user identification. For SAML integration with Aruba Central, the Name ID attribute must include the email address of the user. If the Name ID attribute does not return the email address of the user, use the aruba_user_email attribute.

To configure the Name-ID attribute:

  1. Select the display name you just added for Aruba Central and click Edit Claim Issuance Policy.
  2. In the Edit Claim Issuance Policy window, click Add Rule.
  3. Set the Claim Rule template to Send LDAP Attributes as Claims rule.

  4. Click Next.
  5. In the Claim rule name text box, enter Name-ID.

  6. Select the LDAPLightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. as the Attribute store.
  7. Select the User-Principal-Name as LDAP attribute and Name ID for the Outgoing Claim Type.
  8. Click Finish.
ClosedStep 3—Configure the Customer ID Attribute

To create a rule with the customer ID attribute:

  1. In the Edit Claim Issuance Policy window, click Add Rule.
  2. To send a claim based on a user's Active Directory group membership, set the Claim Rule template to Send Group Membership as a Claim.

  3. Click Next.
  4. In the Claim rule name text box, enter the customer ID attribute. For example, aruba-cid.
  5. Select a user group.

  6. Click OK.
  7. Select a customer ID attribute for the Outgoing claim rule and enter a value for the Outgoing claim value.

  8. Click Finish.
  9. If you have multiple customers, define the customer ID attribute separately for each customer ID.
ClosedStep 4—Configure the Application Attribute

To add a rule for the application attribute:

  1. In the Edit Claim Issuance Policy window, click Add Rule.
  2. To send a claim based on a user's Active Directory group membership, set the Claim Rule template to Send Group Membership as a Claim.

  3. Click Next.
  4. In the Claim rule name text box, enter the application attribute. For example, Aruba Central App Name.
  5. Select a user group.
  6. Select the application attribute for Outgoing claim type and enter a value for the Outgoing claim value.

  7. Click Finish.
ClosedStep 5—Configure the Role Attribute

To add a rule for a role attribute:

  1. In the Edit Claim Issuance Policy window, click Add Rule.
  2. To send a claim based on a user's Active Directory group membership, set the Claim Rule template to Send Group Membership as a Claim.

  3. Click Next.
  4. In the Claim rule name text box, enter the application attribute. For example, Aruba Central App Role.
  5. Select a user group.
  6. Select the role attribute for Outgoing claim type and enter a value for the Outgoing claim value.

  7. Click Finish.

If the role attribute is not configured, Aruba Central assigns a read-only role to the user.

ClosedStep 6—Configure the Group Attribute

If you want to restrict user access to a group in Aruba Central, you can configure the group attribute. If the group attribute is not configured, Aruba Central allows SAML SSO users to access all groups.

To add a rule for a group attribute:

  1. In the Edit Claim Issuance Policy window, click Add Rule.
  2. To send a claim based on a user's Active Directory group membership, set the Claim Rule template to Send Group Membership as a Claim.
  3. Click Next.
  4. In the Claim rule name text box, enter the application attribute. For example, Aruba Central App Group.
  5. Select a user group.
  6. Select a group attribute for Outgoing claim type and enter a value for the Outgoing claim value.
  7. Click Finish.
ClosedStep 7—Configure the Logout URL

To enable IdP-initiated logout:

  1. Select the relying party trust entry created for Aruba Central and click Properties.
  2. Click Endpoints.
  3. To add a logout URL, click Add SAML.
  4. Select the endpoint type as SAML Logout.
  5. Select Redirect for Binding.
  6. Enter the Aruba Central logout URL for Trusted URL.
  7. Enter the IdP logout URL for Response URL.

  8. Click OK.
ClosedStep 8—Exporting Token-signing Certificate

The token-signing certificate is required SAML authentication. To export the token-signing certificate:

  1. In the ADFS management console, go to AD FS> Service > Certificates.
  2. Click the certificate under Token-signing and select View Certificate from the contextual menu.
  3. Click Details > Copy to File.

  4. Click Next and select Base-64 encoded X.509 (.CER) as the certificate format.
  5. Click Next.
  6. Save the certificate file on your local directory.
ClosedStep 9—SAML Authorization Profile in Aruba Central

For information on how to configure a SAML authorization profile, see Configuring SAML Authorization Profiles in Aruba Central.