How SAML SSO Logout works on Aruba Central

By esupport posted Oct 02, 2019 09:02 PM

  • How SAML SSO Logout works on Aruba Central?

  • For SAML SSO solution with Aruba Central, we must configure a valid SAML authorization profile in the Aruba Central portal which is very much described under Documentation > Support for SAML SSO
  • SAML SSO can be done using different IdP providers like Metadata, Microsoft ADFS, Clearpass, etc.,


Key Elements of SAML SSO:

  • Service Provider (SP)—The provider of a business function or service; For example, Aruba Central. The service provider requests and obtains an identity assertion from the IdP. Based on this assertion, the service provider allows a user to access the service.
  • Identity Provider (IdP)—The Identity Management system that maintains identity information of the user and authenticates the user.
  • SAML request—The authentication request that is generated when a user tries to access the Aruba Central portal.
  • SAML Assertion—The authentication and authorization information issued by the IdP to allow access to the service offered by the service (Aruba Central portal).
  • Relying Party—The business service that relies on SAML assertion for authenticating a user; For example, Aruba Central.
  • Asserting Party—The Identity management system or the IdP that creates SAML assertions for a service provider.
  • Metadata—Data in the XML format that is exchanged between the trusted partners (IdP and Aruba Central) for establishing interoperability.
  • SAML attributes—The attributes associated with the user; for example, username, customer ID, role, and group in which the devices belonging to a user account are provisioned. The SAML attributes must be configured on the IdP according to specifications associated with a user account in Aruba Central. These attributes are included in the SAML assertion when Aruba Central sends a SAML request to the IdP.
  • Entity ID—A unique string to identify the service provider that issues a SAML SSO request. According to the SAML specification, the string should be a URL, although not required as a URL by all providers.
  • Assertion Services Consumer URL—The URL that sends the SAML request and receives the SAML response from the IdP.
  • User—User with SSO credentials.


  • Once we have configured SAML SSO correctly as per our documentation we should be successfully authenticate using SAML SSO.
  • After successful authentication when a user tries to logout, user will be logged out & will be redirected to Aruba Central Login page even if have the Response URL on the IdP server set to any SSO logout page.
  • This is because Aruba Central does not support ‘Single Logout Transaction Flow (SLO)’ on SAML SSO. User gets logged out only from Aruba Central app not from IdP server & the session on IdP server will be active until we close the browser session which will terminate active session cookie on IdP.
  • We can check on the same by collecting .har file (Developer Tools > Network), SAML logs (by installing SAML Chrome Panel).


Har File Logs:

  • We can see the entire transaction from Login to Logout

  • We will be able to see logout  Request URL to Aruba Central Login Page.


SAML Panel Logs:

  • We will only be able to see login request post & no logout post as we on Aruba Central, logout user session alone & do not send out any SAML request to the IdP to terminate the active session.