1. Create your Authentication Source (sounds like you have this bit covered). But if not, create this under Configuration -> Authentication -> Sources.
2. Create an Enforcement Profile under Configuration -> Enforcement -> Profiles. This is where you tell Guest which Operator Profile to assign to the authenticated user. Create one of type Generic Application Enforcement, with an Action of Accept, and add an attribute of admin_privileges = "Your Operator Profile". This should have a matching entry in Guest under Administration -> Operator Logins -> Translation Rules. A screenshot is attached as an example.
3. Create an Enforcement Policy under Configuration -> Enforcement -> Policies. This is where you match on some information passed from your Authentication Source to accept or deny access in it's simplest form. Create one of type Application, assign a Default Profile, e.g. [Deny Application Access Profile], set a rule to match your Authentication Source attributes that will in turn, set your Enforcement Profile created in step 2. For example, you may set a rule that looks for both Tips:Role EQUALS [User Authenticated] AND Authorization:"Your Authentication Source":memberOf CONTAINS CN=groupname,OU=orgunit,DC=company,DC=com. This would look for a particular group membership in an Active Directory source for instance.
4. Create a new service of type Aruba Application Authentication.
5. Create two service rules;
5a. Application - Name - EQUALS - Guest
5b. Authentication - Type - NOT_EQUALS - SSO
6. Under the Authentication tab, select the Authentication Source created in step 1.
7. Under the Enforcement tab, select the Enforcement Policy created in step 3.
That should be all.