|
| 1 | +--- |
| 2 | +title: Configuring SSO for Aruba Central and HPE GreenLake using Okta |
| 3 | +date: 2023-02-14T20:11:58.846Z |
| 4 | +externalLink: "" |
| 5 | +author: "Will Smith - Consulting Systems Engineer (ACEX #34)" |
| 6 | +authorimage: /img/willsmith-sm.jpg |
| 7 | +thumbnailimage: /img/gl-sso.jpg |
| 8 | +disable: false |
| 9 | +tags: |
| 10 | + - aruba-central |
| 11 | + - hpe-greenlake-cloud-platform |
| 12 | + - sso |
| 13 | + - okta |
| 14 | +--- |
| 15 | +Aruba Central has gone GREEN…GreenLake that is! Aruba Central has recently been integrated into the HPE GreenLake Cloud Platform (GLCP). This provides IT administrators with the ability to view and orchestrate critical network services, such as Wired, Wireless and SD-Branch, through the same dashboard as their compute and storage infrastructure. GLCP also supports Single Sign On (SSO) which helps simplify account management. |
| 16 | + |
| 17 | +If you are new to Aruba Central and are looking to enable SSO, this guide is for you. It will walk you through the process of configuring SSO for HPE GreenLake and Aruba Central using Okta. |
| 18 | + |
| 19 | +### Before starting |
| 20 | + |
| 21 | +Please review the [HPE GreenLake](https://support.hpe.com/hpesc/public/docDisplay?docId=a00120892en_us) User Guide to understand how the SAML framework works in the context of Common Cloud Services for the Aruba Central application. |
| 22 | + |
| 23 | +### Configure SSO/SAML applications in Okta |
| 24 | + |
| 25 | +To configure application metadata in Okta, complete the following steps: |
| 26 | + |
| 27 | +* Step 1: Create an Okta SAML application |
| 28 | +* Step 2: Configure Sign On settings |
| 29 | +* Step 3: Export the SAML 2.0 IdP metadata |
| 30 | +* Step 4: Configure the SAML connection in GreenLake |
| 31 | + |
| 32 | +**Step 1: Create an Okta SAML application** |
| 33 | + |
| 34 | +1. Log in to the Okta administration console. |
| 35 | +2. Click **Applications > Create new app integration.** The Create a new app integration window opens. |
| 36 | +3. Select SAML 2.0 and click Next. |
| 37 | + |
| 38 | + |
| 39 | + |
| 40 | +Provide a name for the Aruba GreenLake SSO service (Okta application) |
| 41 | + |
| 42 | + |
| 43 | + |
| 44 | +**Step 2: How to configure Single Sign On settings** |
| 45 | + |
| 46 | +1. Enter the SAML information. |
| 47 | + |
| 48 | + Under General: |
| 49 | + |
| 50 | + **Single Sign on URL:** https://sso.common.cloud.hpe.com/sp/ACS.saml2 |
| 51 | + |
| 52 | + **Audience URI (SP Entity ID):** https://sso.common.cloud.hpe.com |
| 53 | + |
| 54 | + **Name ID format EmailAddress** |
| 55 | + |
| 56 | + **Application username Email** |
| 57 | + |
| 58 | + **NameID = user.email** |
| 59 | + |
| 60 | + **gl\_first\_name = user.FirstName** |
| 61 | + |
| 62 | + **gl\_last\_name = user.LastName** |
| 63 | + |
| 64 | + **hpe\_ccs\_attribute = (See Below)** |
| 65 | + |
| 66 | + See here for IdP attribute details: <https://support.hpe.com/hpesc/public/docDisplay?docId=a00120892en_us> |
| 67 | + |
| 68 | + As part of the HPE GreenLake cloud platform integration, one of the additional features that was added is the Role Based Access Controls for Aruba Central and all other apps on the platform. A new SAML attribute has been added “hpe\_ccs\_attribute” which tells GreenLake and Central the exact role/permissions for each user. The following describes how to format the attribute. |
| 69 | + |
| 70 | + |
| 71 | + |
| 72 | + |
| 73 | + |
| 74 | + |
| 75 | + |
| 76 | + |
| 77 | + |
| 78 | +The **hpe\_ccs\_attribute** always starts with version_1#. You must first configure the attributes for HPE GreenLake CSS, and then Central. To do so, enter the PCID for the account, followed by the HPE GreenLake application ID. This will always be **00000000-0000-0000-0000-000000000000**. Following this, enter the role name and **ALL_SCOPES**. Next, enter in the Aruba Central information. Start with the **app cid**, followed by the role name (i.e. Aruba Central Administrator), and then **ALL_SCOPES**. |
| 79 | + |
| 80 | +Example: |
| 81 | + |
| 82 | +**version_1#5b0ec0e8c4f422eca232ba72799953ac:00000000-0000-0000-0000-000000000000:Account Administrator:ALL_SCOPES:683da368-66cb-4ee7-90a9-ec1964768092:** |
| 83 | + |
| 84 | +**Aruba Central Administrator:ALL_SCOPES** |
| 85 | + |
| 86 | +If you want to add additional HPE GreenLake applications, or if you have multiple Aruba Central accounts, you can add them as well. Just follow the same syntax as before. Once you have the attribute defined, enter it into the SAML attribute statement in Okta as shown below. |
| 87 | + |
| 88 | + |
| 89 | + |
| 90 | +2. Complete the setup. |
| 91 | + |
| 92 | + |
| 93 | + |
| 94 | +Click Next and Select “Internal App” then Finish |
| 95 | + |
| 96 | +**Step 3:** **Export the SAML 2.0 IdP metadata** |
| 97 | + |
| 98 | +1. Click Next – Configure the Sign On settings |
| 99 | + |
| 100 | + You will find two options are available: **View Setup Instructions** which steps you through the SAML configuration and **Identity Provider metadata**, which will produce an XML file that can be loaded into Aruba Central. |
| 101 | + |
| 102 | + Suggestion: Click **Identity Provider metadata** and save the XML data to a file. |
| 103 | + |
| 104 | +  |
| 105 | +2. Click Next |
| 106 | +3. Select Internal app, and Click Finish |
| 107 | + |
| 108 | +**Step 4: Create SAML Authorization Profile in HPE GreenLake Cloud Platform** |
| 109 | + |
| 110 | +1. Log into HPE GreenLake and click Menu > Manage > Authentication and Click Set Up SAML Connection. |
| 111 | + |
| 112 | + *Before you can add a new SAML configuration, you must have at least one user account with that domain already enabled in HPE GreenLake. Also, you must be logged into GreenLake with an account from that domain in order to enable SSO for it.* |
| 113 | + |
| 114 | +  |
| 115 | +2. Type in the domain you want to enable SSO on: |
| 116 | + |
| 117 | +  |
| 118 | +3. Input the metadata from the step above. |
| 119 | + |
| 120 | + While HPE GreenLake does support entering this information manually, it's recommended that you simply upload the XML metadata that was downloaded in the previous step. To do so, Select Metadata File, selecting the XML file. Then, click Next. |
| 121 | + |
| 122 | +  |
| 123 | +4. Enter the SAML attributes to match what was entered in Okta. Set the idle timeout value as well. |
| 124 | + |
| 125 | +  |
| 126 | +5. Then click Next. |
| 127 | +6. Create a recover user so that, in the event SSO fails, an admin will still be able to access the HPE GreenLake portal. |
| 128 | + |
| 129 | +  |
| 130 | + |
| 131 | + Congratulations! SSO will now be enabled for HPE GreenLake as well as the Aruba Central application. Log out and on the HPE GreenLake home page, click Sign in with SSO. |
| 132 | + |
| 133 | +**Testing and troubleshooting:** |
| 134 | + |
| 135 | +On the HPE GreenLake Cloud Platform home page, click Sign In with SSO. |
| 136 | + |
| 137 | + |
| 138 | + |
| 139 | + |
| 140 | + |
| 141 | +Enter the SSO credentials. You will be redirected to Okta to authenticate. Once you successfully authenticate, you will be redirected back to HPE GreenLake. You can then click on the Aruba Central application and be given access based on the configured role/permissions. |
| 142 | + |
| 143 | +**Additional notes:** |
| 144 | + |
| 145 | +* There must be at least **one** verified user belonging to the **Domain** prior to configuration. |
| 146 | +* In order to configure SSO, you must be logged into HPE GreenLake with a user from the domain. |
| 147 | +* SSO user access is determined by the “role_name” attribute included in the SAML hpe_ccs_attribute provided by the IdP. |
| 148 | +* SSO users can initiate a Single Sign On request by trying to log into Aruba Central (SP-initiated login). |
| 149 | +* For more troubleshooting: <https://support.hpe.com/hpesc/public/docDisplay?docId=a00120892en_us> |
| 150 | + |
0 commit comments