You can now enable Security Assertion Markup Language (SAML)
based Single Sign-On (SSO) for accessing the User Experience Insight dashboard.
How it Works:
Note: By default, a maximum of 100 total users can access the dashboard. If you require more users, please contact your Aruba account representative.
With SAML SSO configured, every login attempt using your email domain will be sent to your SSO identity provider login page. Once approved by the identity provider, you will be able to view the dashboard.
Existing users will keep all the permissions they had before enabling SSO. (admin or read-only).
New users approved by the identity provider are created as read-only users on the dashboard for which SSO is configured.
If a user leaves your organization, the SAML SSO login should fail. It is still recommended to review dashboard users periodically under Settings → Team.
The recommended procedure to configure SAML SSO is:
1. Obtain the SAML configuration and metadata from your Identity Provider (Usually an SSO team in your organization or a 3rd party service provider). You may need to provide them with sample values for entity ID and Reply URL (ACS URL) until step 2 below is complete. For example:
Entity ID - urn:auth0:cape:sso-12345678
Reply URL (Assertion Consumer Service URL) - https://cape.auth0.com/login/callback?connection=sso-12345678
2. Configure the UXI dashboard with the login/logout URLs, domains, certificate and claims
3. Download the metadata from the UXI dashboard and update the identity provider with the correct Entity ID and Reply URL (ACS URL).
How to Configure SAML Single Sign-On.
Step 1: Go to Settings → Integrations and select Configure SSO.
Step 2: Enter Required Information for the Identity Provider (IdP).
• Sign In URL: The SAML single login URL, where your users are redirected to log in
• Sign Out URL (optional): The SAML single logout URL
• Email domain(s): A comma-separated list of domains authorized on your directory
• X509 Signing Certificate: The public key for your identity provider, encoded in PEM or CER (non-binary) format, used to verify the authenticity of the SAML response from your server.
Seep 3: Enter Mapping Information from the Identity Provider (IdP).
The identity provider must provide a mapping of the attributes of the user. The user_id , email , given_name and family_name attributes are required.
For example the attributes mapping from Azure AD might look like this
For example the attributes mapping from Okta might look like this
Usually you can leave the mapping settings tab to the default values. If your identity store doesn’t conform to the default mapping below, you should provide the correct mapping in the mapping settings tab such that the users can be created with the correct information on our system:
Step 4: Download the SP XML Configuration File and Save the Connection Specific Configuration to the Identity Provider (IdP)
You will be able to download the configuration in a metadata XML file. This will include the post-back URL (ACS URL), The Entity ID and the certificate used to sign the requests.
Use this information to update the Identity Provider.
Step 5: Verify the Connection
Once the Identity Provider has been configured, you can test the connection by selecting Confirm.
If you click Confirm and you see this same page again, it means the test of SSO was not successful. The most likely cause is either
- The attributes and claims are not configured correctly on the identity provider.
- The identity provider was not updated with the Entity ID or ACS URL in the SP XML configuration file.
Note: If you select Revert, you will remove the SSO configuration. However, the next time you configure SSO there will be a new Entity ID and ACS URL and you will need to update the identity provider with this information.
Step 6: Enable the Connection
If the previous test was successful, you will be able to toggle to enable SSO. SSO is enabled if the toggle is to the right.
If you need to disable SSO in the future, simply select the toggle disable or enable again.
We have tested the following Identity Providers
Microsoft Azure AD
Others may work but have not been tested.
Role based mapping to sensor groups is not supported
SCIM – System for Cross domain Identity Management is not supported.
If you have multiple dashboards, the dashboard you configure SSO on is the dashboard where read-only users will be created if approved by the identity provider. For any other account users will need to be added manually. An email domain can only be used for one dashboard.
If you are using the dashboard in China, the SSO configuration option is not available.
Configuring UXI with Azure AD
Configuring UXI with Duo and Okta
IMPORTANT NOTICE FOR EXISTING SSO USERS
The certificate used to sign requests to your Identity Provider (IdP) server expires on Wednesday, October 12th, 2022.
If your identity provider (IdP) is set to validate requests signed using this certificate, you will need to download the new metadata available in your UXI dashboard and update your identity provider. The new metadata contains the new certificate, as well as an updated entity ID. Please use the new metadata to update your identity provider, then confirm the connection from within your UXI dashboard.
This update is only required if you have configured your IdP server to verify the signature of requests being made from our authentication service to your server. This is not a common setting and does not apply to all identity providers. If this does not apply to you, please click revert on your UXI dashboard to keep the connection as is. If you do not want to see this message in the future, please edit your SSO settings and disable the option for "require request signing" (this will be done automatically after 12 October 2022 for any account that hasn't confirmed their connection before then).
If you have any questions, please contact email@example.com