Contributor I

Problem with SAMl services.

Hopefully someone here on the community site has run into this and can offer some help on setting up CPPM to be a service provider and a identity provider. I have two issues that I cant seem to over come.


The first is the authentication source. Under the IdP service authentication, I ONLY have an AD server specified, but the service (when viewed in Tracker) is only looking at the local user store for authorization and nothing for authentication. Not sure why this is.


The second issue is, both of the services (SP and IdP) have been setup with the default values from the templates. Under Identity, SSO, I have enabled the Insight application and specified the IdP URL and the Service Provider Metadata has been imported. The problem I am seeing, when I attempt to login, I get a service classification failed. The only work around is to change the “Service Rule” from All to Any. After making this change, looking at the request under Access Tracker, everything that is listed under the “Service Rule” is in the request, but it fails when set to All conditions must be meet. I am at a loss as to what conditions are needed to make this service true.


Any help would be appreciated.

Re: Problem with SAMl services.

Did you review the tech-note on the support site?
Thank You,

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Contributor I

Re: Problem with SAMl services.

I had not seen that technote, but reviewing what I had configured against what was in the PDF was very close.  I had an incorrect URL for the IdP service that now has been corrected, but I am still getting a ServiceClassification failed {No service matched}.

Re: Problem with SAMl services.

Have you taken the Application Name Service rules from the TechNote?


Do you see the Service Classification failed for the IdP or for the SP?


If you receive a Classification Failed, you either have:

- no Application Service configured (note that the service type is different than RADIUS, TACACS or WebAuth)

- or none of the services had matching Service Rules. 


One method that works in most cases, is to create a generic Service on the bottom of the service list, that has a dummy matching rule, like Application Name EXISTS (matches on everything); then if you try to access it, in the Access Tracker you should be able to see the Request contents and find the used information there to fine-tune your service rules.


For the IdP, Application Name EQUALS SAML should work,

For the SP, Authentication Type EQUALS SSO should work.



If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Search Airheads
Showing results for 
Search instead for 
Did you mean: