Security

Is there a way to have users log into a Guest Self-Registration workflow in ClearPass Guest using SAML credentials? I know that before allowing a user to get to the self-registration form we can do a SAML Pre-Auth, but no information is then passed to ClearPass for the purpose of Guest account creation, and the username/email they choose is not validated, which means that a user can then make up any email address or username for their Guest account.  Is there a way to pass the SAML username to CPPM Guest and have the generated Guest password use with the SAML username as the Guest username?  Basically to somehow link a SSO/SAML account with a guest account after it is created.  It woudl be nice if they could then log in to the self-registration portal with their SAML credentails and be able to change their associated Guest password as well if required.

1. You can also explore the option of Social Login for guests.

2. You can ensure that the password is sent to an email and only then can the guest user login. This ensures the email address used is correct.

3. You can also provice the self-service portal for guests to change their password.

Thanks for the reply. I saw the option for social login, however this site is using an on-prem Shibboleth implementation for SAML/SSO and I didn’t see this as an option under the cloud providers. Any idea what would need to be configured to get this working? Also is there anyway to pass information from SAML to CPPM guest so that there is some sort of association between their SAML account or username and their CPPM Guest account/username?

If I am correct in this case you have your own IdP and ClearPass will act as a SP. See if this guide helps you :

https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=33305

 

Once authenticated, ClearPass will grant guest access but will not create a guest user in the Guest repository.

Thank you, but yes I already have ClearPass set up as a SAML SP and its working well for admin login and guest portal preauth using our SAML IdP, however still not quite what I am looking for here... 

 

Another point I have noticed:  When I create a Guest user account with the self-service portal it will set the sponsor_name field on the created account to my SAML username, however the Guest user account username is set to whatever I type into the email field during self-registration.  Is there a way for self-registration to automatically set the Guest user account username to be the same as the sponsor_name field and then just prevent them from setting their own username?  This would allow us to ensure that the Guest username is the same as the SAML username, which is our desired outcome.  

 

I do not have "require sponsor confirmation" enabled by the way, it appears that this sponsor_name is just being auto-populated from the preauth SAML authenticaiton.

I have also tried using a validator on the username field for the self-registration form in order to force the user to enter the same username as their sponsor_name (which appears to be auto-populated from their SAML username), however this doesnt appear to be working either.  I set the username field validator to IsIdentical and set the validator param to sponsor_name, however when I try to fill out the self-registration form it always shows the validation error message for this username field, almost as if the sponsor_name field is not yet known when filling out the form.  

 

Does anyone have any other ideas on how to force the Guest account username to be the same as the SAML account username for self-registration?  Or is there a way to auto-populate the username field from the sponsor_name field, or SAML username?