Security

This document around Cloud Identity Providers and Onboard should get you started.

Just read 'Entra ID' wherever it writes 'Azure AD'; and screenshots may not be fully accurate but similar enough to get the job done.
And you can ignore the Onboard part, which uses the SSO; but builds further on it. And the application you use will probably take a similar approach.

Hi Herman
Thanks for the doco. 

We were trying to create a web login with Entra SSO

When I try importing the Entra based Certificate (Base 64) to SAML Idp Configuration: I cannot import the certificate generated by EntraAs it gives me an error as ClearPass wants a Private Key but Entra doesn't have Private Key in certs.

Do you have any idea 

Regards,

Ok, I think you may be mixing up Service Provider (SP) and Identity Provider (IdP).

On the SAML SP page you configure ClearPass as Service Provider; where users use their Entra ID account to sign into ClearPass services like Policy Manager, Guest, Guest Operator, etc:

On the SAML IdP page, you configure ClearPass to be the Identity Provider, so there users are authenticated on ClearPass to use another (SAML SP) service.

For the SAML SP Certificate, in case you want to use ClearPass as the SP, you can create your own (server) certificate. May be self-signed, or you can sign it from another CA or even the Onboard CA, as it's something you would import in your IdP (Entra), so it doesn't need to be a public trusted certificate.

Hi Herman
Thanks for the doco. 

We were trying to create a web login with Entra SSO

When I try importing the Entra based Certificate (Base 64) to SAML Idp Configuration: I cannot import the certificate generated by EntraAs it gives me an error as ClearPass wants a Private Key but Entra doesn't have Private Key in certs.

Do you have any idea 

Regards,

This document around Cloud Identity Providers and Onboard should get you started.

Just read 'Entra ID' wherever it writes 'Azure AD'; and screenshots may not be fully accurate but similar enough to get the job done.
And you can ignore the Onboard part, which uses the SSO; but builds further on it. And the application you use will probably take a similar approach.

Thanks Herman 

Appreciate that 

SSO login started working, thanks for the input.

Ok, I think you may be mixing up Service Provider (SP) and Identity Provider (IdP).

On the SAML SP page you configure ClearPass as Service Provider; where users use their Entra ID account to sign into ClearPass services like Policy Manager, Guest, Guest Operator, etc:

On the SAML IdP page, you configure ClearPass to be the Identity Provider, so there users are authenticated on ClearPass to use another (SAML SP) service.

For the SAML SP Certificate, in case you want to use ClearPass as the SP, you can create your own (server) certificate. May be self-signed, or you can sign it from another CA or even the Onboard CA, as it's something you would import in your IdP (Entra), so it doesn't need to be a public trusted certificate.

Hi Herman
Thanks for the doco. 

We were trying to create a web login with Entra SSO

When I try importing the Entra based Certificate (Base 64) to SAML Idp Configuration: I cannot import the certificate generated by EntraAs it gives me an error as ClearPass wants a Private Key but Entra doesn't have Private Key in certs.

Do you have any idea 

Regards,

Hi,

Im trying to utilize Wired Guest with SSO and from reading the above I need to complete the Idp and not the SSP.

Thanks Herman 

Appreciate that 

SSO login started working, thanks for the input.

Ok, I think you may be mixing up Service Provider (SP) and Identity Provider (IdP).

On the SAML SP page you configure ClearPass as Service Provider; where users use their Entra ID account to sign into ClearPass services like Policy Manager, Guest, Guest Operator, etc:

On the SAML IdP page, you configure ClearPass to be the Identity Provider, so there users are authenticated on ClearPass to use another (SAML SP) service.

For the SAML SP Certificate, in case you want to use ClearPass as the SP, you can create your own (server) certificate. May be self-signed, or you can sign it from another CA or even the Onboard CA, as it's something you would import in your IdP (Entra), so it doesn't need to be a public trusted certificate.

Hi Herman
Thanks for the doco. 

We were trying to create a web login with Entra SSO

When I try importing the Entra based Certificate (Base 64) to SAML Idp Configuration: I cannot import the certificate generated by EntraAs it gives me an error as ClearPass wants a Private Key but Entra doesn't have Private Key in certs.

Do you have any idea 

Regards,

Hi,

Im trying to utilize Wired Guest with SSO and from reading the above I need to complete the Idp and not the SSP.

Thanks Herman 

Appreciate that 

SSO login started working, thanks for the input.

Ok, I think you may be mixing up Service Provider (SP) and Identity Provider (IdP).

On the SAML SP page you configure ClearPass as Service Provider; where users use their Entra ID account to sign into ClearPass services like Policy Manager, Guest, Guest Operator, etc:

On the SAML IdP page, you configure ClearPass to be the Identity Provider, so there users are authenticated on ClearPass to use another (SAML SP) service.

For the SAML SP Certificate, in case you want to use ClearPass as the SP, you can create your own (server) certificate. May be self-signed, or you can sign it from another CA or even the Onboard CA, as it's something you would import in your IdP (Entra), so it doesn't need to be a public trusted certificate.

Hi Herman
Thanks for the doco. 

We were trying to create a web login with Entra SSO

When I try importing the Entra based Certificate (Base 64) to SAML Idp Configuration: I cannot import the certificate generated by EntraAs it gives me an error as ClearPass wants a Private Key but Entra doesn't have Private Key in certs.

Do you have any idea 

Regards,