UXI is now available for new customers on the Greenlake Cloud Platform (GLP). Check out the article Getting Started with User Experience Insight on the HPE Greenlake Cloud Platform and the Frequently Asked Questions for information.

For new dashboards on Greenlake Cloud Platform, you will configure SSO within to the greenlake cloud platform and not directly in UXI. There are two excellent blog posts here which cover Aruba Central, the same process should be used for UXI.

One important piece of information you will need is the service ID. You can find this greenlake cloud by going to the UXI application in the Greenlake Cloud Platform service catalog and looking for “Service ID” on the right-hand side of the page.

This article will take you through how to configure SSO on existing dashboards that are not yet on GLP. Please note that you will eventually need to configure SSO again in greenlake when we migrate existing users to the greenlake cloud.

You can configure Security Assertion Markup Language (SAML) based Single Sign-On (SSO) for accessing the User Experience Insight dashboard.

Note: By default, a maximum of 100 total users can access the dashboard. If you require more users, please contact your Aruba account representative.

With SAML SSO configured, every login attempt using your email domain will be sent to your SSO identity provider login page. Once approved by the identity provider, you will be able to view the dashboard.

If a user leaves your organization, the SAML SSO login should fail. It is still recommended to review dashboard users periodically under Settings → Team.

The recommended procedure to configure SAML SSO is:

1. Obtain the SAML configuration and metadata from your Identity Provider (Usually an SSO team in your organization or a 3rd party service provider). You may need to provide them with sample values for entity ID and Reply URL (ACS URL) until step 2 below is complete. For example:

2. Configure the UXI dashboard with the login/logout URLs, domains, certificate and claims

3. Download the metadata from the UXI dashboard and update the identity provider with the correct Entity ID and Reply URL (ACS URL).

Step 1: Go to Settings → Integrations and select Configure SSO.

Step 2: Enter Required Information for the Identity Provider (IdP).

• Sign In URL: The SAML single login URL, where your users are redirected to log in

• Sign Out URL (optional): The SAML single logout URL

• Email domain(s): A comma-separated list of domains authorized on your directory

• X509 Signing Certificate: The public key for your identity provider, encoded in PEM or CER (non-binary) format, used to verify the authenticity of the SAML response from your server.

Seep 3: Enter Mapping Information from the Identity Provider (IdP).

The identity provider must provide a mapping of the attributes of the user. The user_id , email , given_name and family_name attributes are required.

For example the attributes mapping from Azure AD might look like this

For example the attributes mapping from Okta might look like this

Usually you can leave the mapping settings tab to the default values. If your identity store doesn’t conform to the default mapping below, you should provide the correct mapping in the mapping settings tab such that the users can be created with the correct information on our system:

Step 4: Download the SP XML Configuration File and Save the Connection Specific Configuration to the Identity Provider (IdP)

You will be able to download the configuration in a metadata XML file. This will include the post-back URL (ACS URL), The Entity ID and the certificate used to sign the requests.

Use this information to update the Identity Provider.

Step 5: Verify the Connection

Once the Identity Provider has been configured, you can test the connection by selecting Confirm.

If you click Confirm and you see this same page again, it means the test of SSO was not successful. The most likely cause is either

- The attributes and claims are not configured correctly on the identity provider.

- The identity provider was not updated with the Entity ID or ACS URL in the SP XML configuration file.

Note: If you select Revert, you will remove the SSO configuration. However, the next time you configure SSO there will be a new Entity ID and ACS URL and you will need to update the identity provider with this information.

Step 6: Enable the Connection

If the previous test was successful, you will be able to toggle to enable SSO. SSO is enabled if the toggle is to the right.

If you need to disable SSO in the future, simply select the toggle disable or enable again.

Others may work but have not been tested.

Configuring UXI with Azure AD

Configuring UXI with Duo and Okta