How SAML SSO Logout works on Aruba Central
10-02-2019 06:02 PM
- How SAML SSO Logout works on Aruba Central?
- For SAML SSO solution with Aruba Central, we must configure a valid SAML authorization profile in the Aruba Central portal which is very much described under Documentation > Support for SAML SSO
- SAML SSO can be done using different IdP providers like Metadata, Microsoft ADFS, Clearpass, etc.,
Key Elements of SAML SSO:
- Service Provider (SP)—The provider of a business function or service; For example, Aruba Central. The service provider requests and obtains an identity assertion from the IdP. Based on this assertion, the service provider allows a user to access the service.
- Identity Provider (IdP)—The Identity Management system that maintains identity information of the user and authenticates the user.
- SAML request—The authentication request that is generated when a user tries to access the Aruba Central portal.
- SAML Assertion—The authentication and authorization information issued by the IdP to allow access to the service offered by the service (Aruba Central portal).
- Relying Party—The business service that relies on SAML assertion for authenticating a user; For example, Aruba Central.
- Asserting Party—The Identity management system or the IdP that creates SAML assertions for a service provider.
- Metadata—Data in the XML format that is exchanged between the trusted partners (IdP and Aruba Central) for establishing interoperability.
- SAML attributes—The attributes associated with the user; for example, username, customer ID, role, and group in which the devices belonging to a user account are provisioned. The SAML attributes must be configured on the IdP according to specifications associated with a user account in Aruba Central. These attributes are included in the SAML assertion when Aruba Central sends a SAML request to the IdP.
- Entity ID—A unique string to identify the service provider that issues a SAML SSO request. According to the SAML specification, the string should be a URL, although not required as a URL by all providers.
- Assertion Services Consumer URL—The URL that sends the SAML request and receives the SAML response from the IdP.
- User—User with SSO credentials.
- Once we have configured SAML SSO correctly as per our documentation we should be successfully authenticate using SAML SSO.
- After successful authentication when a user tries to logout, user will be logged out & will be redirected to Aruba Central Login page https://portal.central.arubanetworks.com/platform/login/user even if have the Response URL on the IdP server set to any SSO logout page.
- This is because Aruba Central does not support ‘Single Logout Transaction Flow (SLO)’ on SAML SSO. User gets logged out only from Aruba Central app not from IdP server & the session on IdP server will be active until we close the browser session which will terminate active session cookie on IdP.
- We can check on the same by collecting .har file (Developer Tools > Network), SAML logs (by installing SAML Chrome Panel).
Har File Logs:
- We can see the entire transaction from Login to Logout
- We will be able to see logout Request URL to Aruba Central Login Page.
SAML Panel Logs:
- We will only be able to see login request post & no logout post as we on Aruba Central, logout user session alone & do not send out any SAML request to the IdP to terminate the active session.