Security

Reply
New Contributor

ClearPass SAML Service and Enforcement?

Hi all,

I'm working on a psuedo-guest access project that uses SalesForce as an identity provider and ClearPass as the SAML SP. We basically followed the SAML configuration guide by Bob Filer, and we have the service working to a degree.

 

To reference the guide, there are essentially two separate services created for the SAML deployment.

     1. ClearPass Admin SSO Login (SAML SP Service)

     2. Guest Access

 

We have the IdP configured to pass back some user attributes in the SAML response (things like their location, bandwidth contract, etc.) and we've created the necessary application dictionary entries.

I can see these as computed attributes in the Access Tracker hit for the first service.

 

Where I'm stuck is how to get the computed attributes from the first service pushed through the to second sevice. These attributes would be used as an extra means of profiling and enforcement.

 

For example, if the SAML response comes through with a username, location, and bandwidth contract, I would like to add that information to the endpoint repository. However, that infomation can't be added on the first service (SAMPL SP Service) because it's not aware of the endpoint mac address. It needs to be passed through to the second service (Guest Access) where Aruba-User-Roles and other enforcement is applied.

 

Has anyone experienced this before?

Guru Elite

Re: ClearPass SAML Service and Enforcement?

Unfortunately this not supported today.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: