Security

Hello, I am running CLP with 6.10. A SSO service was recently created for our organization's IDP. Before I configured SSO, I was able to log into the subscriber separately and retrieve previous logs. After enabling SSO on the publisher I am unable to connect to the subscriber directly thru the web/IP. I can download logs I create ad-hoc but I can't retrieve anything from past logs which I used to do. I was never able to see the log files on the subscriber through the publisher login. I contacted TAC about fixing IDP, they said it was a IDP issue, but the IDP teams says its a CLP config issue.  I think my only solution to provide the necessary info for IDP is to stop/disable the SSO service to log into the subscriber separately, I am able to log into the subscriber via SSH. But now that the publisher is in the IDP database & so forth I won't be able to stop the SSO service and log with a local admin account anymore, it will get redirected to an IDP error page that the webpage is unavailable or not configured.

 I had call with TAC already, providing SAML tracker & access tracker information: 

Call summary:

Hosted the session

Understand that not able login in subscriber since sso is enabled

However sso is successful on publisher.

Explained that clearpass re-direct the IDP page where the browser will generate the SAML request to IDP

Our case it was successful but to the response for the request "the website does not exist or configuration is disable"

So requested to check on IDP end to narrow down the issue.

As no assistance required dropped from the session

I think you need to configure the subscriber(s) as SP in your IdP as well. That may need some manual modification of the SP Metadata, especially when the FQDNs are not setup properly om ClearPass. The error you display seem to be from the IdP, so I agree having a look at your IdP and more specific it's SP configurations may be the proper next step.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jul 05, 2023 02:19 PM
From: vvajpeyi
Subject: SSO issues with subscriber on CLP cluster

Hello, I am running CLP with 6.10. A SSO service was recently created for our organization's IDP. Before I configured SSO, I was able to log into the subscriber separately and retrieve previous logs. After enabling SSO on the publisher I am unable to connect to the subscriber directly thru the web/IP. I can download logs I create ad-hoc but I can't retrieve anything from past logs which I used to do. I was never able to see the log files on the subscriber through the publisher login. I contacted TAC about fixing IDP, they said it was a IDP issue, but the IDP teams says its a CLP config issue.  I think my only solution to provide the necessary info for IDP is to stop/disable the SSO service to log into the subscriber separately, I am able to log into the subscriber via SSH. But now that the publisher is in the IDP database & so forth I won't be able to stop the SSO service and log with a local admin account anymore, it will get redirected to an IDP error page that the webpage is unavailable or not configured.

 I had call with TAC already, providing SAML tracker & access tracker information: 

Call summary:

Hosted the session

Understand that not able login in subscriber since sso is enabled

However sso is successful on publisher.

Explained that clearpass re-direct the IDP page where the browser will generate the SAML request to IDP

Our case it was successful but to the response for the request "the website does not exist or configuration is disable"

So requested to check on IDP end to narrow down the issue.

As no assistance required dropped from the session

Hello, thank you for the response. The problem is I can't provide the exact SP metadata on the subscriber since our IDP is now doing the redirect and sending the invalid token. I know exactly where to navigate on the publisher but since I can't access the subscriber gui page anymore I can't provide the SP. I'm assuming there is no way ssh as the appadmin on the subscriber and download it via terminal shell? The one possibility I considered is enabling insight on the subscriber. The SSO service application condition has BELONGS_TO set to GuestOperators, Insight and Policy Manager. The another ways I thought of to get back to the subscriber gui to download the SP metadata in Idenity > SSO is to effectively stop the SSO service from running or remove Policy Manager from the condition in the service. My concern is disabling the SSO service or removing policy manager will effectively break any path to log back into our Publisher without getting help for the IDP team to fix or undo their work. Another possible fix is changing the publisher device IP to resolve to our VIP instead. Would changing the resolve from the device IP to the VIP be a better option?

Thank you 
Best

Original Message:
Sent: Jul 06, 2023 07:16 AM
From: Herman Robers
Subject: SSO issues with subscriber on CLP cluster

I think you need to configure the subscriber(s) as SP in your IdP as well. That may need some manual modification of the SP Metadata, especially when the FQDNs are not setup properly om ClearPass. The error you display seem to be from the IdP, so I agree having a look at your IdP and more specific it's SP configurations may be the proper next step.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jul 05, 2023 02:19 PM
From: vvajpeyi
Subject: SSO issues with subscriber on CLP cluster

Hello, I am running CLP with 6.10. A SSO service was recently created for our organization's IDP. Before I configured SSO, I was able to log into the subscriber separately and retrieve previous logs. After enabling SSO on the publisher I am unable to connect to the subscriber directly thru the web/IP. I can download logs I create ad-hoc but I can't retrieve anything from past logs which I used to do. I was never able to see the log files on the subscriber through the publisher login. I contacted TAC about fixing IDP, they said it was a IDP issue, but the IDP teams says its a CLP config issue.  I think my only solution to provide the necessary info for IDP is to stop/disable the SSO service to log into the subscriber separately, I am able to log into the subscriber via SSH. But now that the publisher is in the IDP database & so forth I won't be able to stop the SSO service and log with a local admin account anymore, it will get redirected to an IDP error page that the webpage is unavailable or not configured.

 I had call with TAC already, providing SAML tracker & access tracker information: 

Call summary:

Hosted the session

Understand that not able login in subscriber since sso is enabled

However sso is successful on publisher.

Explained that clearpass re-direct the IDP page where the browser will generate the SAML request to IDP

Our case it was successful but to the response for the request "the website does not exist or configuration is disable"

So requested to check on IDP end to narrow down the issue.

As no assistance required dropped from the session