Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Problem with SAMl services.

This thread has been viewed 4 times

  • 1.  Problem with SAMl services.

    Posted Jan 07, 2015 06:54 PM

    Hopefully someone here on the community site has run into this and can offer some help on setting up CPPM to be a service provider and a identity provider. I have two issues that I cant seem to over come.

     

    The first is the authentication source. Under the IdP service authentication, I ONLY have an AD server specified, but the service (when viewed in Tracker) is only looking at the local user store for authorization and nothing for authentication. Not sure why this is.

     

    The second issue is, both of the services (SP and IdP) have been setup with the default values from the templates. Under Identity, SSO, I have enabled the Insight application and specified the IdP URL and the Service Provider Metadata has been imported. The problem I am seeing, when I attempt to login, I get a service classification failed. The only work around is to change the “Service Rule” from All to Any. After making this change, looking at the request under Access Tracker, everything that is listed under the “Service Rule” is in the request, but it fails when set to All conditions must be meet. I am at a loss as to what conditions are needed to make this service true.

     

    Any help would be appreciated.



  • 2.  RE: Problem with SAMl services.

    EMPLOYEE
    Posted Jan 07, 2015 06:59 PM
    Did you review the tech-note on the support site?

    http://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=14542


  • 3.  RE: Problem with SAMl services.

    Posted Jan 07, 2015 07:32 PM

    I had not seen that technote, but reviewing what I had configured against what was in the PDF was very close.  I had an incorrect URL for the IdP service that now has been corrected, but I am still getting a ServiceClassification failed {No service matched}.



  • 4.  RE: Problem with SAMl services.

    EMPLOYEE
    Posted Jan 08, 2015 10:38 AM

    Have you taken the Application Name Service rules from the TechNote?

     

    Do you see the Service Classification failed for the IdP or for the SP?

     

    If you receive a Classification Failed, you either have:

    - no Application Service configured (note that the service type is different than RADIUS, TACACS or WebAuth)

    - or none of the services had matching Service Rules. 

     

    One method that works in most cases, is to create a generic Service on the bottom of the service list, that has a dummy matching rule, like Application Name EXISTS (matches on everything); then if you try to access it, in the Access Tracker you should be able to see the Request contents and find the used information there to fine-tune your service rules.

     

    For the IdP, Application Name EQUALS SAML should work,

    For the SP, Authentication Type EQUALS SSO should work.

     

    Herman