View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ClearPass SSO for Policy Manager - subscriber access

This thread has been viewed 19 times
  • 1.  ClearPass SSO for Policy Manager - subscriber access

    Posted Dec 19, 2022 12:57 AM
    Greetings.    We are in the midst of deploying ClearPass 6.11 to replace another solution.   When configuring we saw that SSO was available and configured it to use against Azure AD.    This will give us single sign on, as well as MFA.    We configured it and tested it, first with Insight, and everything worked great.   We then activated it for Policy Manager and everything appeared to work.   The problem I have is when attempting to log into either of the subscribers in the cluster, they are sending the Identifier as their own hostname, rather than the hostname of the publisher, which is how the identifier is defined in Azure.   The error returned is below.

    Message: AADSTS700016: Application with identifier '' was not found in the directory 

    Is there a way to configure the ClearPass subscribers to send a specific Identifier to Azure in the SAML request?    They should be able to authenticate against a single Enterprise Application.  

    Thank you.

  • 2.  RE: ClearPass SSO for Policy Manager - subscriber access
    Best Answer

    Posted Dec 19, 2022 11:40 PM
    Azure AD allows specifying multiple Identifiers (Entity IDs) in the enterprise application SSO configuration, have you tried adding the subscriber URLs there?

  • 3.  RE: ClearPass SSO for Policy Manager - subscriber access

    Posted Dec 20, 2022 02:56 PM
    Thank you @TRS-80.   Apparently, the way the EA was created (by someone other than me), it didn't allow adding any additional Identifiers.    After creating a new EA we are able to add the multiple URLs.   ​

  • 4.  RE: ClearPass SSO for Policy Manager - subscriber access

    Posted 11 days ago

    I found this thread looking for a slightly similar issue with SAML metadata URIs not being what we wanted when upgrading from Clearpass 6.10 to 6.11, so adding the fix we used in case anyone else gets stuck

    We have two Clearpass servers as a publisher and subscriber then a Virtual IP with a common FQDN of clearpass.x.x

    The SAML metadata URI for both the subscriber and publisher was defaulting to their own hostnames of acp24...-01 and acp24...-02 where 01 is normally the publisher and 02 is normally the subscriber.

    This was breaking our previously working SAML config which was expecting the requests to be coming from clearpass.x.x and then redirect the user back to clearpass.x.x, but with the default config as mentioned above, the SAML process was redirecting users to the individual hostnames of acp24...-01/-02

    The fix to this was setting the 'FQDN' setting in [ 'Administration' -> 'Server Configuration' then click on each server name ] to clearpass.x.x (our common FQDN)

    This then changed the SAML metadata URI to be the common FQDN shared between the two boxes, instead of each individual hostname. It also means just the single SAML SP config works even when the two boxes switch publisher and subscriber state.