07-15-2016 09:27 AM
I am trying to build an SSID which authenitcates users through SAML SSO - ie redirecting to a SAML authentication platform (which is a cloud SaaS solution). So clearpass would be acting as the SP, with the auth request going to the public IdP Saas.
Am I right in thinking that I should be populating the Identity -> Single Sign-On (SSO) -> SAML IdP Configuration tab, with the Service Provider (SP) Metadata so that clearpass knows where/how to send the IdP auth requests to?
And then create a web login page with veondor settings as "Single sign-on - SAML Identity Provider" and run through the service template for IdP.
According to multiple sources as well as posts on this forum, this should be possible, but has anyone had any success with this?
We have recently upgraded to Clearpass 6.6.
Appologies if I've got anything wrong here - I am both an Aruba and SAML newbie...
07-15-2016 09:32 AM
Take a look at the SAML TechNote: https://support.arubanetworks.com/Documentation/ta
Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
07-20-2016 02:25 AM
Thanks Tim, appreciate the information.
I have worked through the guide and its got me very close to a solution. The SAML integration from CPPM is working well, I can manually browse the page and run through the sign in, seeing the application authentication in the logs etc - all good.
However when I then try it by actually connecting to the SSID, I'm getting a SSL Certificate error when its firing me over to the https portal for SAML. Looking at the error, it seems that I'm being presented with the controllers cert CN=securelogin.arubanetworks.com.
I've seen some similar issues in the forum (although nothing specifically SSO/SAML), but in our case we're using a SaaS SAML platform, therefore it would be impossible to use a certificate on the controller which would be valid for this domain. Eg we couldn't just implement a wildcard cert for our domain on the controller because we're being directed to a 3rd party platform for auth.
We've raised a ticket with Aruba support directly, but until then... has anyone got any ideas?