Security

 View Only

  • 1.  SSO issues with subscriber on CLP cluster

    Posted Jul 05, 2023 02:19 PM
    Edited by vvajpeyi Jul 05, 2023 04:12 PM

    Hello, I am running CLP with 6.10. A SSO service was recently created for our organization's IDP. Before I configured SSO, I was able to log into the subscriber separately and retrieve previous logs. After enabling SSO on the publisher I am unable to connect to the subscriber directly thru the web/IP. I can download logs I create ad-hoc but I can't retrieve anything from past logs which I used to do. I was never able to see the log files on the subscriber through the publisher login. I contacted TAC about fixing IDP, they said it was a IDP issue, but the IDP teams says its a CLP config issue.  I think my only solution to provide the necessary info for IDP is to stop/disable the SSO service to log into the subscriber separately, I am able to log into the subscriber via SSH. But now that the publisher is in the IDP database & so forth I won't be able to stop the SSO service and log with a local admin account anymore, it will get redirected to an IDP error page that the webpage is unavailable or not configured.

     I had call with TAC already, providing SAML tracker & access tracker information: 

    Call summary:

    Hosted the session

    Understand that not able login in subscriber since sso is enabled

    However sso is successful on publisher.

    Explained that clearpass re-direct the IDP page where the browser will generate the SAML request to IDP

    Our case it was successful but to the response for the request "the website does not exist or configuration is disable"

    So requested to check on IDP end to narrow down the issue.

    As no assistance required dropped from the session



  • 2.  RE: SSO issues with subscriber on CLP cluster

    Posted Jul 06, 2023 07:17 AM

    I think you need to configure the subscriber(s) as SP in your IdP as well. That may need some manual modification of the SP Metadata, especially when the FQDNs are not setup properly om ClearPass. The error you display seem to be from the IdP, so I agree having a look at your IdP and more specific it's SP configurations may be the proper next step.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: SSO issues with subscriber on CLP cluster

    Posted Jul 06, 2023 03:05 PM
    Edited by vvajpeyi Jul 06, 2023 04:27 PM

    Hello, thank you for the response. The problem is I can't provide the exact SP metadata on the subscriber since our IDP is now doing the redirect and sending the invalid token. I know exactly where to navigate on the publisher but since I can't access the subscriber gui page anymore I can't provide the SP. I'm assuming there is no way ssh as the appadmin on the subscriber and download it via terminal shell? The one possibility I considered is enabling insight on the subscriber. The SSO service application condition has BELONGS_TO set to GuestOperators, Insight and Policy Manager. The another ways I thought of to get back to the subscriber gui to download the SP metadata in Idenity > SSO is to effectively stop the SSO service from running or remove Policy Manager from the condition in the service. My concern is disabling the SSO service or removing policy manager will effectively break any path to log back into our Publisher without getting help for the IDP team to fix or undo their work. Another possible fix is changing the publisher device IP to resolve to our VIP instead. Would changing the resolve from the device IP to the VIP be a better option?

    Thank you 
    Best


    Original Message


  • 4.  RE: SSO issues with subscriber on CLP cluster
    Best Answer

    Posted Jul 07, 2023 07:38 AM

    The SP metadata that you download from the publisher also includes all of your subscribers, so it is supposed to support the situation where you can SSO with an external IdP to each of your ClearPass nodes. That means it does not make sense to download the Metadata from your subscriber, as it is the same as from your publisher. Where you can download the SP Metadata in ClearPass, there is also a link to the metadata and you could change the hostname there to the hostname or ip of your subscriber. Because getting SAML/SSO setup properly can be quite challenging in my experience (it's multidisciplinary), and near to impossible if you don't control the IdP or can do troubleshooting from the IdP, it may be better to schedule a troubleshooting session with your IdP team and your Aruba partner or Aruba Support. 



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


Related Content