Aruba Central Online Help

SAML SSO for Aruba Central

The Single Sign On (SSOSingle Sign-On. SSO is an access-control property that allows the users to log in once to access multiple related, but independent applications or systems to which they have privileges. The process authenticates the user across all allowed resources during their session, eliminating additional login prompts.) solution simplifies user management by allowing users to access multiple applications and services with a single set of login credentials. If the applications services are offered by different vendors, IT administrators can use the SAMLSecurity Assertion Markup Language. SAML is an XML-based framework for communicating user authentication, entitlement, and attribute information. SAML enables single sign-on by allowing users to authenticate at an identity provider and then access service providers without additional authentication. authentication and authorization framework to provide a seamless login experience for their users.

To provide seamless login experience for users whose identity is managed by an external authentication source, Aruba Central now offers a federated SSO solution based on the SAML 2.0 authentication and authorization framework. SAML is an XMLExtensible Markup Language. XML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable.-based open standard for exchanging authentication and authorization data between trusted partners; in particular, between an application service provider and identity management system used by an enterprise. With Aruba Central's SAML SSO solution, organizations can manage user access using a single authentication and authorization source.

SAML SSO Solution Overview

The SAML SSO solution consists of the following key elements:

  • Service Provider (SP)—The provider of a business function or service; For example, Aruba Central. The service provider requests and obtains an identity assertion from the IdP. Based on this assertion, the service provider allows a user to access the service.
  • Identity Provider (IdP)—The Identity Management system that maintains identity information of the user and authenticates the user.
  • SAML Request—The authentication request that is generated when a user tries to access the Aruba Central portal.
  • SAML Assertion—The authentication and authorization information issued by the IdP to allow access to the service offered by the service (Aruba Central portal).
  • Relying Party—The business service that relies on SAML assertion for authenticating a user; For example, Aruba Central.
  • Asserting Party—The Identity management system or the IdP that creates SAML assertions for a service provider.
  • Metadata—Data in the XML format that is exchanged between the trusted partners (IdP and Aruba Central) for establishing interoperability.
  • SAML Attributes—The attributes associated with the user; for example, username, customer ID, role, and group in which the devices belonging to a user account are provisioned. The SAML attributes must be configured on the IdP according to specifications associated with a user account in Aruba Central. These attributes are included in the SAML assertion when Aruba Central sends a SAML request to the IdP.
  • Entity ID—A unique string to identify the service provider that issues a SAML SSO request. According to the SAML specification, the string should be a URLUniform Resource Locator. URL is a global address used for locating web resources on the Internet., although not required as a URL by all providers.
  • Assertion Services Consumer URL—The URL that sends the SAML request and receives the SAML response from the IdP.
  • User—User with SSO credentials.

How SAML SSO Works

Aruba Central supports the following types of SAML SSO workflows:

  • SP-initiated SSO
  • IdP-initiated SSO

SP-initiated SSO

In an SP Initiated SSO workflow, the SSO request originates from the service provider domain, that is, from Aruba Central. When a user tries to access Aruba Central, a federation authentication request is created and sent to the IdP server.

The following figure illustrates the standard SP-Initiated SAML SSO workflow:

Figure 1  SP-Initiated SSO

The SP-initiated SSO workflow with Aruba Central is supported only through the HTTP Redirect POST method. In other words, Aruba Central sends an HTTP redirect message with an authentication request to the IdP through the user's browser. The IdP sends a SAML response with an assertion to Aruba Central through HTTP POST.

The SP-initiated SSO workflow with HTTP Redirect POST includes the following steps:

  1. The user tries to access Aruba Central and the request is redirected to the IdP.
  2. Aruba Central sends an HTTP redirect message with the SAML request to the IdP for authentication through the user's browser.
  3. The user logs in with the SSO credentials.
  4. On successful authentication, the IdP sends a digitally signed HTML form with SAML assertion and attributes to Aruba Central through the web browser.
  5. If the digital signature and the attributes in the SAML assertion are valid, Aruba Central allows access to the user.

IdP-initiated SSO

In the IdP-Initiated workflow, the SSO request originates from the IdP domain. The IdP server creates a SAML response and redirects the users to Aruba Central.

The Aruba Central SAML SSO deployments support the IdP-initiated SSO workflow through the HTTP POST method. The IdP-initiated SSO workflow consists of the following steps:

  1. The user is logged in to the IdP and tries to access Aruba Central.
  2. The IdP sends a digitally signed HTML form with SAML assertion and attributes to Aruba Central through the web browser.
  3. If the digital signature and the attributes in the SAML assertion are valid, Aruba Central allows access to the user.

The following figure illustrates the standard IdP-Initiated SAML SSO workflow:

Figure 2  IdP-Initiated SSO

SAML SSO Single Logout

Aruba Central supports Single Logout (SLO) of SAML SSO users. SLO allows users to terminate server sessions established using SAML SSO by initiating the logout process once. SAML SLO can be initiated either from the Service Provider or the IdP. However, Aruba Central supports only the IdP-initiated SLO.

IdP-initiated SAML SLO

The IdP-initiated logout workflow includes the following steps:

  1. User logs out of the IdP.
  2. The IdP sends a logout request to Aruba Central.
  3. Aruba Central validates the logout request from the IdP, terminates the user session, and sends a logout response to the IdP.
  4. User is logged out of Aruba Central.
  5. After the IdP receives logout response from all service providers, the IdP logs out the user.

Configuring SAML SSO

The SAML SSO configuration for Aruba Central includes the following steps:

  1. Configuring user accounts and roles in Aruba Central. For more information, see the Managing User Access topic in Aruba Central Help Center.
  2. Configure SAML authorization profile in Aruba Central.
  3. Configuring Service Provider metadata such as metadata URL, service consumer URL, Name and other attributes on the IdP server.