You can now enable Security Assertion Markup Language (SAML)

based Single Sign-On (SSO) for accessing the User Experience Insight dashboard.

How it Works:

Note: By default, a maximum of 100 total users can access the dashboard. If you require more users, please contact your Aruba account representative.

With SAML SSO configured, every login attempt using your email domain will be sent to your SSO identity provider login page. Once approved by the identity provider, you will be able to view the dashboard.

  • Existing users will keep all the permissions they had before enabling SSO. (admin or read-only).

  • New users approved by the identity provider are created as read-only users on the dashboard for which SSO is configured.

If a user leaves your organization, the SAML SSO login should fail. It is still recommended to review dashboard users periodically under Settings → Team.

The recommended procedure to configure SAML SSO is:

1. Obtain the SAML configuration and metadata from your Identity Provider (Usually an SSO team in your organization or a 3rd party service provider). You may need to provide them with sample values for entity ID and Reply URL (ACS URL) until step 2 below is complete. For example:

2. Configure the UXI dashboard with the login/logout URLs, domains, certificate and claims

3. Download the metadata from the UXI dashboard and update the identity provider with the correct Entity ID and Reply URL (ACS URL).

How to Configure SAML Single Sign-On.

Step 1: Go to SettingsIntegrations and select Configure SSO.

Step 2: Enter Required Information for the Identity Provider (IdP).

Sign In URL: The SAML single login URL, where your users are redirected to log in

Sign Out URL (optional): The SAML single logout URL

Email domain(s): A comma-separated list of domains authorized on your directory

X509 Signing Certificate: The public key for your identity provider, encoded in PEM or CER (non-binary) format, used to verify the authenticity of the SAML response from your server.

Seep 3: Enter Mapping Information from the Identity Provider (IdP).

The identity provider must provide a mapping of the attributes of the user. The user_id , email , given_name and family_name attributes are required.

For example the attributes mapping from Azure AD might look like this

For example the attributes mapping from Okta might look like this

Usually you can leave the mapping settings tab to the default values. If your identity store doesn’t conform to the default mapping below, you should provide the correct mapping in the mapping settings tab such that the users can be created with the correct information on our system:

{
"user_id":
"http://schemas.xmlso...05/05/identity/claims/nameidentifier",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
],
"email": "http://schemas.xmlso...05/05/identity/claims/emailaddress",
"name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
"given_name": [
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
],
"family_name": "http://schemas.xmls...05/05/identity/claims/surname"
}

Step 4: Download the SP XML Configuration File and Save the Connection Specific Configuration to the Identity Provider (IdP)

You will be able to download the configuration in a metadata XML file. This will include the post-back URL (ACS URL), The Entity ID and the certificate used to sign the requests.

Use this information to update the Identity Provider.

Step 5: Verify the Connection

Once the Identity Provider has been configured, you can test the connection by selecting Confirm.

If you click Confirm and you see this same page again, it means the test of SSO was not successful. The most likely cause is either

- The attributes and claims are not configured correctly on the identity provider.

- The identity provider was not updated with the Entity ID or ACS URL in the SP XML configuration file.

Note: If you select Revert, you will remove the SSO configuration. However, the next time you configure SSO there will be a new Entity ID and ACS URL and you will need to update the identity provider with this information.

Step 6: Enable the Connection

If the previous test was successful, you will be able to toggle to enable SSO. SSO is enabled if the toggle is to the right.

SSO Enabled

If you need to disable SSO in the future, simply select the toggle disable or enable again.

SSO Disabled

We have tested the following Identity Providers

  • Microsoft ADFS

  • Microsoft Azure AD

  • Ping Identity

  • Okta

Others may work but have not been tested.

Current limitations

  • Role based mapping to sensor groups is not supported

  • SCIM – System for Cross domain Identity Management is not supported.

  • If you have multiple dashboards, the dashboard you configure SSO on is the dashboard where read-only users will be created if approved by the identity provider. For any other account users will need to be added manually. An email domain can only be used for one dashboard.

  • If you are using the dashboard in China, the SSO configuration option is not available.

Examples

Configuring UXI with Azure AD

Configuring UXI with Duo and Okta

IMPORTANT NOTICE FOR EXISTING SSO USERS

The certificate used to sign requests to your Identity Provider (IdP) server expires Wednesday, October 20th 2021 at 23:59:59 GMT. The new certificate can be downloaded from this help article below. We will apply the new certificate to your connection on Wednesday, October 20th 12:00:00 GMT.

We suggest adding the new certificate to the secondary (fallback) certificate slot until the update above happens to prevent any down time for users.

This update is only required if you have configured your IdP server to verify the signature of requests being made from our authentication service to your server. If you have, failing to update the certificate in time may result in users not being able to log into the dashboard using Single Sign-On authentication.

If you have any questions please contact support@capenetworks.com

Here is the updated certificate, please copy in a text editor and save as a crt.

-----BEGIN CERTIFICATE-----
MIIG+jCCBeKgAwIBAgIQCkLkwjibygulu1JWSIQ0rzANBgkqhkiG9w0BAQsFADBZ
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMTMwMQYDVQQDEypE
aWdpQ2VydCBHbG9iYWwgRzIgVExTIFJTQSBTSEEyNTYgMjAyMCBDQTEwHhcNMjEx
MDEyMDAwMDAwWhcNMjIxMDEyMjM1OTU5WjCBhDELMAkGA1UEBhMCVVMxEzARBgNV
BAgTCkNhbGlmb3JuaWExEjAQBgNVBAcTCVBhbG8gQWx0bzErMCkGA1UEChMiSGV3
bGV0dCBQYWNrYXJkIEVudGVycHJpc2UgQ29tcGFueTEfMB0GA1UEAxMWbG9naW4u
Y2FwZW5ldHdvcmtzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AMjWIL40HbHH5TmXk0i/hJtbcqjHRgDF1ko/X6EOBvkZxzOZkjZsyOcLyp8drRMT
Cc2sgAyuijn6ZStXwdh9jd09nTMHkKyNp0PfLXl+Xsge8sR2FPFMRNS5k7Y617XC
uFmCVFSoXCzz2+bGvaFesp7Q2FTrlu8hN41zyj3NagfsR/7sQ1zkTLanBkRBS0Sd
tsWJeV5xA4ErtVsckrMVKuHuMWOEVXyJuhjwxsFsyA3aubVEiu7O4Uz1dTKEo6SJ
uJCosAV+C3dyR3crNPB0FcG3/NFLCul3B8zobxeSgpuMhxl+2srbuRHEiUV7XCaP
2ucQmDm2hRS9RF34nZtZcdkCAwEAAaOCA5AwggOMMB8GA1UdIwQYMBaAFHSFgMBm
x9833s+9KTeqAx2+7c0XMB0GA1UdDgQWBBSFLEwUhXKl4RvQr8+tjvpWqNT3sDAh
BgNVHREEGjAYghZsb2dpbi5jYXBlbmV0d29ya3MuY29tMA4GA1UdDwEB/wQEAwIF
oDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwgZ8GA1UdHwSBlzCBlDBI
oEagRIZCaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFsRzJU
TFNSU0FTSEEyNTYyMDIwQ0ExLTIuY3JsMEigRqBEhkJodHRwOi8vY3JsNC5kaWdp
Y2VydC5jb20vRGlnaUNlcnRHbG9iYWxHMlRMU1JTQVNIQTI1NjIwMjBDQTEtMi5j
cmwwPgYDVR0gBDcwNTAzBgZngQwBAgIwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3
dy5kaWdpY2VydC5jb20vQ1BTMIGFBggrBgEFBQcBAQR5MHcwJAYIKwYBBQUHMAGG
GGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBPBggrBgEFBQcwAoZDaHR0cDovL2Nh
Y2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFsRzJUTFNSU0FTSEEyNTYy
MDIwQ0ExLmNydDAMBgNVHRMBAf8EAjAAMIIBfgYKKwYBBAHWeQIEAgSCAW4EggFq
AWgAdwApeb7wnjk5IfBWc59jpXflvld9nGAK+PlNXSZcJV3HhAAAAXx1Jz7kAAAE
AwBIMEYCIQCapfCBDAs8PxdMejR0bzTspuRAwxx8Z9ZSllws9nriGwIhAOwDjkJB
zGD0zhlP9ashObG33gAMDK3BQ2kioRcb03tKAHYAQcjKsd8iRkoQxqE6CUKHXk4x
ixsD6+tLx2jwkGKWBvYAAAF8dSc/BwAABAMARzBFAiEApv1dzQc9cp5f6NJFdrz1
s/pGsxLhT0EXfpoxw9p0cFYCIGb1v9DeJY/K7eO9fXTLux5DScX/jHjZR9bcuKlG
F7WPAHUA36Veq2iCTx9sre64X04+WurNohKkal6OOxLAIERcKnMAAAF8dSc/NAAA
BAMARjBEAiA3elwKu5UAfFu1EAKO+JGvsynRykPFR3zbftqIOiZVFgIgbRBFZcSu
KjS5G2RL5gdotviaOmgPeFF4nByXz9h4RaYwDQYJKoZIhvcNAQELBQADggEBAHsl
MpZ+sBShO5z4zGATr8CppWaZsVrS4od2BMIPEr9rqi3HgB1LCNeBAVYWc9g3VAOI
nv8+vg43H5pdt+Z1GrJUsC3ZMGxjX2aC8GI+sTuIHYZYbpnOEOizeTFK9eWNPLvG
wwDzVnJSYqhoX7ZfNG3EXOx2TUT/MYkgkgZx8YJ8bMHSZt+ehaSQWsd6LTjB6iCN
y2FQ/iM7aMrc5fvSUC15RJvpIwtNBqcb2iE1tnivc4Ssl3LnwW1lZs2KsXZOXk/6
grf6bHeMgyK067OEtPcRKNn8kFRw/MzK6TJG9sCED0foY5poJS7v/xUFBC0RtO4E
zy0nZDCM6Yg4sjB9eYs=
-----END CERTIFICATE-----

Did this answer your question?