Controller-less WLANs

last person joined: 13 days ago 

IAP, Central, MSR, Outdoor Mesh

Mandatory Attributes for Aruba central SSO Login

By esupport posted Aug 24, 2020 08:10 AM

  
Q:

What are the Mandatory Attributes which has to be sent by IDP server for SSO login through Aruba Central for standalone Customer(NOT MSP)?



A:

Below are the Mandatory attributes which has to sent by IDP(Identity Provider) :

•NameID—The NameID attribute must include the email address of the user. 

<NameID>johnnyadmin1@adfsaruba.com</NameID>

•aruba_1_cid = <customer-id>

•aruba_1_app_1 = central

•aruba_1_app_1_role_1 = <readonly> or <admin>

 

Below Example is the SAML Traces logs (debug logs for troubleshooting) which will show us the Attribute which is returned by IDP server.

<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">lynctest1@primegrp.com</NameID>
            <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="ONELOGIN_d58fe91c9f40ae14bd8c6803fff2410b7f537dd6"
                NotOnOrAfter="2019-07-08T18:01:37.888Z"
                Recipient="https://portal.central.arubanetworks.com/global_login/aaa_saml/primegrp.com?acs"/></SubjectConfirmation>
        </Subject>

            <Attribute Name="aruba_1_app_1">
                <AttributeValue>central</AttributeValue>
            </Attribute>
            <Attribute Name="aruba_1_cid">
                <AttributeValue>8005597</AttributeValue>
            </Attribute>
            <Attribute Name="aruba_1_app_1_role_1">
                <AttributeValue>readonly</AttributeValue>

 

Attached the screenshot taken from SAML TRACER TOOL.


Attachments:
Screen Shot 2019-08-16 at 1.03.00 AM.png
Screen Shot 2019-08-16 at 1.02.34 AM.png
1 comment
14 views

Comments

15 days ago

Is there a way to change the value that Clearpass sends the NameID attribute?  From the SAML tracer this is what is being sent <saml2:NameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified\">jmcuser</saml2:NameID>  I would like to it so that NameID field contains the EmployeeID rather than the username it shows now.