Security

Greetings.    We are in the midst of deploying ClearPass 6.11 to replace another solution.   When configuring we saw that SSO was available and configured it to use against Azure AD.    This will give us single sign on, as well as MFA.    We configured it and tested it, first with Insight, and everything worked great.   We then activated it for Policy Manager and everything appeared to work.   The problem I have is when attempting to log into either of the subscribers in the cluster, they are sending the Identifier as their own hostname, rather than the hostname of the publisher, which is how the identifier is defined in Azure.   The error returned is below.

Message: AADSTS700016: Application with identifier 'https://hostsub1.domain.com/networkservices/saml2/sp' was not found in the directory 

Is there a way to configure the ClearPass subscribers to send a specific Identifier to Azure in the SAML request?    They should be able to authenticate against a single Enterprise Application.  

Thank you.

Azure AD allows specifying multiple Identifiers (Entity IDs) in the enterprise application SSO configuration, have you tried adding the subscriber URLs there?
Original Message:
Sent: Dec 16, 2022 02:48 PM
From: Michael Parzynski
Subject: ClearPass SSO for Policy Manager - subscriber access

Greetings.    We are in the midst of deploying ClearPass 6.11 to replace another solution.   When configuring we saw that SSO was available and configured it to use against Azure AD.    This will give us single sign on, as well as MFA.    We configured it and tested it, first with Insight, and everything worked great.   We then activated it for Policy Manager and everything appeared to work.   The problem I have is when attempting to log into either of the subscribers in the cluster, they are sending the Identifier as their own hostname, rather than the hostname of the publisher, which is how the identifier is defined in Azure.   The error returned is below.

Message: AADSTS700016: Application with identifier 'https://hostsub1.domain.com/networkservices/saml2/sp' was not found in the directory 

Is there a way to configure the ClearPass subscribers to send a specific Identifier to Azure in the SAML request?    They should be able to authenticate against a single Enterprise Application.

Thank you.

Thank you @TRS-80.   Apparently, the way the EA was created (by someone other than me), it didn't allow adding any additional Identifiers.    After creating a new EA we are able to add the multiple URLs.   ​
Original Message:
Sent: Dec 19, 2022 11:40 PM
From: James Andrewartha
Subject: ClearPass SSO for Policy Manager - subscriber access

Azure AD allows specifying multiple Identifiers (Entity IDs) in the enterprise application SSO configuration, have you tried adding the subscriber URLs there?
Original Message:
Sent: Dec 16, 2022 02:48 PM
From: Michael Parzynski
Subject: ClearPass SSO for Policy Manager - subscriber access

Greetings.    We are in the midst of deploying ClearPass 6.11 to replace another solution.   When configuring we saw that SSO was available and configured it to use against Azure AD.    This will give us single sign on, as well as MFA.    We configured it and tested it, first with Insight, and everything worked great.   We then activated it for Policy Manager and everything appeared to work.   The problem I have is when attempting to log into either of the subscribers in the cluster, they are sending the Identifier as their own hostname, rather than the hostname of the publisher, which is how the identifier is defined in Azure.   The error returned is below.

Message: AADSTS700016: Application with identifier 'https://hostsub1.domain.com/networkservices/saml2/sp' was not found in the directory 

Is there a way to configure the ClearPass subscribers to send a specific Identifier to Azure in the SAML request?    They should be able to authenticate against a single Enterprise Application.

Thank you.

I found this thread looking for a slightly similar issue with SAML metadata URIs not being what we wanted when upgrading from Clearpass 6.10 to 6.11, so adding the fix we used in case anyone else gets stuck

We have two Clearpass servers as a publisher and subscriber then a Virtual IP with a common FQDN of clearpass.x.x

The SAML metadata URI for both the subscriber and publisher was defaulting to their own hostnames of acp24...-01 and acp24...-02 where 01 is normally the publisher and 02 is normally the subscriber.

This was breaking our previously working SAML config which was expecting the requests to be coming from clearpass.x.x and then redirect the user back to clearpass.x.x, but with the default config as mentioned above, the SAML process was redirecting users to the individual hostnames of acp24...-01/-02

The fix to this was setting the 'FQDN' setting in [ 'Administration' -> 'Server Configuration' then click on each server name ] to clearpass.x.x (our common FQDN)

This then changed the SAML metadata URI to be the common FQDN shared between the two boxes, instead of each individual hostname. It also means just the single SAML SP config works even when the two boxes switch publisher and subscriber state.

Original Message:
Sent: Dec 16, 2022 02:48 PM
From: mparzyns
Subject: ClearPass SSO for Policy Manager - subscriber access

Greetings.    We are in the midst of deploying ClearPass 6.11 to replace another solution.   When configuring we saw that SSO was available and configured it to use against Azure AD.    This will give us single sign on, as well as MFA.    We configured it and tested it, first with Insight, and everything worked great.   We then activated it for Policy Manager and everything appeared to work.   The problem I have is when attempting to log into either of the subscribers in the cluster, they are sending the Identifier as their own hostname, rather than the hostname of the publisher, which is how the identifier is defined in Azure.   The error returned is below.

Message: AADSTS700016: Application with identifier 'https://hostsub1.domain.com/networkservices/saml2/sp' was not found in the directory 

Is there a way to configure the ClearPass subscribers to send a specific Identifier to Azure in the SAML request?    They should be able to authenticate against a single Enterprise Application.  

Thank you.