ClearPass SAML Service and Enforcement?
02-08-2019 09:32 AM
I'm working on a psuedo-guest access project that uses SalesForce as an identity provider and ClearPass as the SAML SP. We basically followed the SAML configuration guide by Bob Filer, and we have the service working to a degree.
To reference the guide, there are essentially two separate services created for the SAML deployment.
1. ClearPass Admin SSO Login (SAML SP Service)
2. Guest Access
We have the IdP configured to pass back some user attributes in the SAML response (things like their location, bandwidth contract, etc.) and we've created the necessary application dictionary entries.
I can see these as computed attributes in the Access Tracker hit for the first service.
Where I'm stuck is how to get the computed attributes from the first service pushed through the to second sevice. These attributes would be used as an extra means of profiling and enforcement.
For example, if the SAML response comes through with a username, location, and bandwidth contract, I would like to add that information to the endpoint repository. However, that infomation can't be added on the first service (SAMPL SP Service) because it's not aware of the endpoint mac address. It needs to be passed through to the second service (Guest Access) where Aruba-User-Roles and other enforcement is applied.
Has anyone experienced this before?
Re: ClearPass SAML Service and Enforcement?
02-08-2019 09:39 AM