Configuring Azure AD as the SAML IDP with Greenlake Cloud Platform and Aruba Central

Single sign-on (SSO) enables users to securely authenticate with multiple applications and websites by logging in only once—with just one set of credentials (username and password). With SSO, the application or website that the user is trying to access relies on a trusted third party (Identity provider) to verify that users are who they say they are.

This is the general process for configuring Azure AD to authenticate users into Greenlake Cloud Platform (GLCP) and Aruba Central using SAML IDP.

The Okta version of this guide can be found on WIFI-GUYS

Contents

• Configuring Azure AD as the SAML IDP with Greenlake Cloud Platform and Aruba Central
  • Contents
  • Before you Begin
  • Terms used in this document
  • Steps to Configure SSO/SAML Application in Azure AD
  • Step 1: Create an Azure AD Enterprise Application
  • Step 2: Configure GCLP for SAML Federation
  • Login to GLCP and Aruba Central using Azure AD
  • Using Azure AD MFA
  • Troubleshooting
  • Appendix: Generating the hpe_ccs_attribute

Before you Begin

This document references the following documentation:

• HPE Greeenlake User Guide

• Single sign-on (SS) authentication

• HPE Greenlake Platform Guide

If you’re looking for the Central 2.5.4 SAML integration guide, it has been moved.

Terms used in this document

• CCS: Common Cloud Service
• GLPC: GreenLake Cloud Platform
• SSO: Single Sign On
• SAML: Security Assertion Markup Language
• AD: Active Directory
• MFA: Multi-Factor Authentication
• MSP: Managed Service Proivder
• XML: eXtensible Markup Language

Steps to Configure SSO/SAML Application in Azure AD

To configure SSO in Aruba Central, first download the metadata file from Azure AD.

1. Create an Enteprise Application in the [Azure Portal](https://portal.azure.com)
2. Configure the Enterprise Application for GLCP
3. Download the federated metadata XML file from Enterprise Application
4. Claim and Configure your domain within GLCP
5. Upload the federated metadata XML file to GLCP
6. Create recovery account

Step 1: Create an Azure AD Enterprise Application

• Log into to Azure portal.

• Click Enterprise Applications (you may need to search for it, if it’s not on your menu)

• Click New Application

• Click Create your own Application

  Enter the name of your app. (Ex: Aruba Central USWEST 4)

• Select Integrate any other application you don’t find in the gallery (Non-gallery)

• Under Step 1: Assign users and groups, select the AD Group you created at the beginning of this document.

  

• Under Step 2: Set Up Signle sign on

• The default setting is Disabled. Select SAML

  

• Under Basic SAML Configuration, click Edit

  Attribute	Values
  Identifier (Entity ID):	https://sso.common.cloud.hpe.com
  Reply URL (Assertion Consumer Service URL):	https://sso.common.cloud.hpe.com/sp/ACS.saml2

• Under Attributes & Claims

  Attribute	Value
  emailaddress	user.givenname
  name	user.userprincipalname
  gl_first_name	user.givenname
  gl_last_name	user.surname
  hpe_ccs_attribute	See Below

    version_1#2fd5f97acbc211ecadc006baf610dd36:00000000-0000-0000-0000-000000000000:Account Administrator:ALL_SCOPES:683da368-66cb-4ee7-90a9-ec1964768092:Aruba Central Administrator:ALL_SCOPES
  	
    Where the PCID (2fd5f97acbc211ecadc006baf610dd36) is your ID for GLCP
    and App ID (683da368-66cb-4ee7-90a9-ec1964768092) for your Central cluster
  	
  

  For more details on the hpe_ccs_attritube, see the Appendix: Generating the hpe_ccs_attribute

• Click Download under Step 3 : Federation Metadata XML

Step 2: Configure GCLP for SAML Federation

• Login to GLCP and select Manage

• Select the Authentication tile

• Claim your domain for SAML

• Upload the Federation Metadata XML file from the previous section.

• Apply the following configuration settings. These should match the First and Last Name settings you set above for Azure.

• Create the recovery user per the instructions
• Validate the settings are correct
• Save and Finish the configruation.
• If you get an error that the SAML configuraiton wasn’t completed using the account with the @domain.com. You’ll have to log back up and login with the SAML domain and go through the above configuration again.

Login to GLCP and Aruba Central using Azure AD

• Once you’ve completed the above steps, login to central using your Azure AD email.

• If everything is working correctly, you should have logged into GLCP and Aruba Central is an option to Launch.

Using Azure AD MFA

• By default, Azure AD enables MFA. However, for testing and demos, it’s much easier to disable MFA on your accounts. To disable MFA, please see the following documentation: What are security defaults

Troubleshooting

• There’s a useful 3rd party browser tool called: SAML Tracer
• This tool will allow you to verify the attributes you’re sending to Central.
• It can be useful when configuratin SAML with multiple Central accounts or domains
• SAML Tracer Chrome FireFox

Appendix: Generating the hpe_ccs_attribute

The hpe_ccs_attribute is used to determine your GLCP account. The format for the hpe_ccs_attribute is as follows:

An Example hpe_ccs_attribute for a single GLCP and Aruba Central account would be:

version_1#2fd5f97acbc211ecadc006baf610dd36:00000000-0000-0000-0000-000000000000:Account Administrator:ALL_SCOPES:683da368-66cb-4ee7-90a9-ec1964768092:Aruba Central Administrator:ALL_SCOPES

or

version_1#5b0ec0e8b4f411eca432ba72799953ac:00000000-0000-0000-0000-000000000000:Account Administrator:ALL_SCOPES:683da368-66cb-4ee7-90a9-ec1964768092:Aruba Central Administrator:ALL_SCOPES#5b0ec0e8b4f411eca432ba72799953ac:00000000-0000-0000-0000-000000000000:Account Administrator:ALL_SCOPES

If you’re a Managed Service Provider (MSP), then the hpe_ccs_attribute for Administrator rights to GLCP and Aruba Central for all customer tenant accounts:

version_1#d951f8c8c67711eca2cf9efb55836a4d:00000000-0000-0000-0000-000000000000:Account Administrator|TENANT|:ALL_SCOPES:00000000-0000-0000-0000-000000000000:Account Administrator|MSP|:ALL_SCOPES:683da368-66cb-4ee7-90a9-ec1964768092:Aruba Central Administrator|TENANT| : ALL_SCOPES:683da368-66cb-4ee7-90a9-ec1964768092:Aruba Central Administrator|MSP| : ALL_SCOPES

The hpe_ccs_attribute string for a tenant under a MSP account, would be below. However, you must have the SAML domain configuration configured for that tenant account using the same setting as the MSP account. To say it another way, you must go through this configuration for each tenant account under the MSP.

version_1#f9ee1cdecc1611ecb00e9e24ed17d2a7:00000000-0000-0000-0000-000000000000:Observer|TENANT| :ALL_SCOPES:683da368-66cb-4ee7-90a9-ec1964768092:Aruba Central Administrator|TENANT| :ALL_SCOPES