Single sign-on (SSO) enables users to securely authenticate with multiple applications and websites by logging in only once—with just one set of credentials (username and password). With SSO, the application or website that the user is trying to access relies on a trusted third party (Identity provider) to verify that users are who they say they are.
This is the general process for configuring Azure AD to authenticate users into Greenlake Cloud Platform (GLCP) and Aruba Central using SAML IDP.
The Okta version of this guide can be found on WIFI-GUYS
- Configuring Azure AD as the SAML IDP with Greenlake Cloud Platform and Aruba Central
- Contents
- Before you Begin
- Terms used in this document
- Steps to Configure SSO/SAML Application in Azure AD
- Step 1: Create an Azure AD Enterprise Application
- Step 2: Configure GCLP for SAML Federation
- Login to GLCP and Aruba Central using Azure AD
- Using Azure AD MFA
- Troubleshooting
- Appendix: Generating the
hpe_ccs_attribute
This document references the following documentation:
If you're looking for the Central 2.5.4 SAML integration guide, it has been moved.
CCS:Common Cloud ServiceGLPC:GreenLake Cloud PlatformSSO:Single Sign OnSAML:Security Assertion Markup LanguageAD:Active DirectoryMFA:Multi-Factor AuthenticationMSP:Managed Service ProivderXML:eXtensible Markup Language
To configure SSO in Aruba Central, first download the metadata file from Azure AD.
- Create an Enteprise Application in the [Azure Portal](https://portal.azure.com)
- Configure the Enterprise Application for GLCP
- Download the federated metadata XML file from Enterprise Application
- Claim and Configure your domain within GLCP
- Upload the federated metadata XML file to GLCP
- Create recovery account
-
Log into to Azure portal.
-
Click Enterprise Applications (you may need to search for it, if it's not on your menu)
-
Click New Application
-
Click Create your own Application
Enter the name of your app. (Ex: Aruba Central USWEST 4)
-
Select Integrate any other application you don't find in the gallery (Non-gallery)
-
Under Step 1: Assign users and groups, select the AD Group you created at the beginning of this document.
-
Under Step 2: Set Up Signle sign on
-
The default setting is Disabled. Select SAML
-
Under Basic SAML Configuration, click Edit
Attribute Values Identifier (Entity ID): https://sso.common.cloud.hpe.com Reply URL (Assertion Consumer Service URL): https://sso.common.cloud.hpe.com/sp/ACS.saml2
-
Under Attributes & Claims
Attribute Value emailaddress user.givenname name user.userprincipalname gl_first_name user.givenname gl_last_name user.surname hpe_ccs_attribute See Below version_1#2fd5f97acbc211ecadc006baf610dd36:00000000-0000-0000-0000-000000000000:Account Administrator:ALL_SCOPES:683da368-66cb-4ee7-90a9-ec1964768092:Aruba Central Administrator:ALL_SCOPES Where the PCID (2fd5f97acbc211ecadc006baf610dd36) is your ID for GLCP and App ID (683da368-66cb-4ee7-90a9-ec1964768092) for your Central cluster
For more details on the hpe_ccs_attritube, see the Appendix: Generating the hpe_ccs_attribute
- Click Download under Step 3 : Federation Metadata XML
- Login to GLCP and select Manage
- Select the Authentication tile
- Claim your domain for SAML
- Upload the Federation Metadata XML file from the previous section.
- Apply the following configuration settings. These should match the First and Last Name settings you set above for Azure.
- Create the recovery user per the instructions
- Validate the settings are correct
- Save and Finish the configruation.
- If you get an error that the SAML configuraiton wasn't completed using the account with the @domain.com. You'll have to log back up and login with the SAML domain and go through the above configuration again.
- Once you've completed the above steps, login to central using your Azure AD email.
- If everything is working correctly, you should have logged into GLCP and Aruba Central is an option to Launch.
- By default, Azure AD enables MFA. However, for testing and demos, it's much easier to disable MFA on your accounts. To disable MFA, please see the following documentation: What are security defaults
- There's a useful 3rd party browser tool called: SAML Tracer
- This tool will allow you to verify the attributes you're sending to Central.
- It can be useful when configuratin SAML with multiple Central accounts or domains
- SAML Tracer Chrome FireFox
The hpe_ccs_attribute is used to determine your GLCP account. The format for the hpe_ccs_attribute is as follows:
An Example hpe_ccs_attribute for a single GLCP and Aruba Central account would be:
version_1#2fd5f97acbc211ecadc006baf610dd36:00000000-0000-0000-0000-000000000000:Account Administrator:ALL_SCOPES:683da368-66cb-4ee7-90a9-ec1964768092:Aruba Central Administrator:ALL_SCOPES
or
version_1#5b0ec0e8b4f411eca432ba72799953ac:00000000-0000-0000-0000-000000000000:Account Administrator:ALL_SCOPES:683da368-66cb-4ee7-90a9-ec1964768092:Aruba Central Administrator:ALL_SCOPES#5b0ec0e8b4f411eca432ba72799953ac:00000000-0000-0000-0000-000000000000:Account Administrator:ALL_SCOPES
If you're a Managed Service Provider (MSP), then the hpe_ccs_attribute for Administrator rights to GLCP and Aruba Central for all customer tenant accounts:
version_1#d951f8c8c67711eca2cf9efb55836a4d:00000000-0000-0000-0000-000000000000:Account Administrator|TENANT|:ALL_SCOPES:00000000-0000-0000-0000-000000000000:Account Administrator|MSP|:ALL_SCOPES:683da368-66cb-4ee7-90a9-ec1964768092:Aruba Central Administrator|TENANT| : ALL_SCOPES:683da368-66cb-4ee7-90a9-ec1964768092:Aruba Central Administrator|MSP| : ALL_SCOPES
The hpe_ccs_attribute string for a tenant under a MSP account, would be below. However, you must have the SAML domain configuration configured for that tenant account using the same setting as the MSP account. To say it another way, you must go through this configuration for each tenant account under the MSP.
version_1#f9ee1cdecc1611ecb00e9e24ed17d2a7:00000000-0000-0000-0000-000000000000:Observer|TENANT| :ALL_SCOPES:683da368-66cb-4ee7-90a9-ec1964768092:Aruba Central Administrator|TENANT| :ALL_SCOPES