Configuring Single Sign-On

The Single Sign-On (SSO Single Sign-On. SSO is an access-control property that allows the users to log in once to access multiple related, but independent applications or systems to which they have privileges. The process authenticates the user across all allowed resources during their session, eliminating additional login prompts.) settings on the Single Sign-On page allows Policy Manager users that have signed in to ClearPass Policy Manager to access the Onboard, Guest, and Insight applications and Policy Manager administration settings without reauthenticating. Policy Manager provides single sign-on support using the Security Assertion Markup Language (SAML Security Assertion Markup Language. SAML is an XML-based framework for communicating user authentication, entitlement, and attribute information. SAML enables single sign-on by allowing users to authenticate at an identity provider and then access service providers without additional authentication.). This feature also provides differentiated single sign-on access for Guest web logins and Guest Operator logins .

 

Before selecting SAML Security Assertion Markup Language. SAML is an XML-based framework for communicating user authentication, entitlement, and attribute information. SAML enables single sign-on by allowing users to authenticate at an identity provider and then access service providers without additional authentication. signing and encryption certificates for use in Single Sign-On, be sure to add a SAML Security Assertion Markup Language. SAML is an XML-based framework for communicating user authentication, entitlement, and attribute information. SAML enables single sign-on by allowing users to authenticate at an identity provider and then access service providers without additional authentication. signing certificate to the Certificate Trust List and a SAML Security Assertion Markup Language. SAML is an XML-based framework for communicating user authentication, entitlement, and attribute information. SAML enables single sign-on by allowing users to authenticate at an identity provider and then access service providers without additional authentication. encryption certificate to Service & Client Certificates list.

SAML Service Provider (SP) Configuration

To configure single sign-on service provider settings:

1. Navigate to Configuration > Identity > Single Sign-On. The Single Sign-On > SAML SP Configuration dialog opens.

2. In the Identity Provider (IdP) URL Uniform Resource Locator. URL is a global address used for locating web resources on the Internet. field, enter the URL Uniform Resource Locator. URL is a global address used for locating web resources on the Internet. used to access the IdP storing and managing your digital identity.

 

If configuring TLSv1.3 support within a cluster, enter the IDP URL Uniform Resource Locator. URL is a global address used for locating web resources on the Internet. of the second FQDN Fully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet. used for mTLS, as two FQDNs are required to support TLS1.3 certificate authentication. For information on configuring TLSv1.3 support for a cluster, see Configuring TLSv1.3 Support for a Cluster.

3. in the Enable SSO for field, select one or more applications you want users to access with single sign-on. Note the following behaviors when selecting the GuestOperators and Guest options.

If you select only the GuestOperators option, SSO Single Sign-On. SSO is an access-control property that allows the users to log in once to access multiple related, but independent applications or systems to which they have privileges. The process authenticates the user across all allowed resources during their session, eliminating additional login prompts. will be enabled for Operator logins only, and Web logins will use standard non-SSO Single Sign-On. SSO is an access-control property that allows the users to log in once to access multiple related, but independent applications or systems to which they have privileges. The process authenticates the user across all allowed resources during their session, eliminating additional login prompts. authentication.

If you select only the Guest option, SSO Single Sign-On. SSO is an access-control property that allows the users to log in once to access multiple related, but independent applications or systems to which they have privileges. The process authenticates the user across all allowed resources during their session, eliminating additional login prompts. will be enabled for Web logins only, and Operator logins will use standard non-SSO Single Sign-On. SSO is an access-control property that allows the users to log in once to access multiple related, but independent applications or systems to which they have privileges. The process authenticates the user across all allowed resources during their session, eliminating additional login prompts. authentication.

If you select both the GuestOperators and the Guest options, Operator logins and Web logins will both use SSO Single Sign-On. SSO is an access-control property that allows the users to log in once to access multiple related, but independent applications or systems to which they have privileges. The process authenticates the user across all allowed resources during their session, eliminating additional login prompts. authentication.

4. (Optional) In the ClearPass Service Provider (SP) Signing Certificate section, click Select Certificate and choose a certificate to sign SAML Security Assertion Markup Language. SAML is an XML-based framework for communicating user authentication, entitlement, and attribute information. SAML enables single sign-on by allowing users to authenticate at an identity provider and then access service providers without additional authentication. requests from the service provider. When you select a certificate, the page displays the following information about the certificate:

Subject DN Distinguished Name. A series of fields in a digital certificate that, taken together, constitute the unique identity of the person or device that owns the digital certificate. Common fields in a DN include country, state, locality, organization, organizational unit, and the “common name”, which is the primary name used to identify the certificate.

Issuer DN Distinguished Name. A series of fields in a digital certificate that, taken together, constitute the unique identity of the person or device that owns the digital certificate. Common fields in a DN include country, state, locality, organization, organizational unit, and the “common name”, which is the primary name used to identify the certificate.

Issue Date/Time

Expiry Date/Time

Validity Status

Serial Number

5. (Optional) In the ClearPass Service Provider (SP) Metadata field, click Download to download and view an XML Extensible Markup Language. XML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. file containing metadata for the Service Provider URI Uniform Resource Identifier. URI identifies the name and the location of a resource in a uniform format.  (Uniform Resource Identifier). The Metadata URI field displays the URI Uniform Resource Identifier. URI identifies the name and the location of a resource in a uniform format. for the Service Provider metadata resource.

6. Use the Identity Provider Signing Certificate field select a certificate to verify the signed SAML Security Assertion Markup Language. SAML is an XML-based framework for communicating user authentication, entitlement, and attribute information. SAML enables single sign-on by allowing users to authenticate at an identity provider and then access service providers without additional authentication. response from the IdP. This information is required. Click the Select Certificate drop-down list and select the Identity Provider (IdP) certificate to use for single sign-on. When you select a certificate, the page displays the following information about the certificate:

7. (Optional) Use the Identity Provider Encryption Certificate field, select a certificate to decrypt the encrypted SAML Security Assertion Markup Language. SAML is an XML-based framework for communicating user authentication, entitlement, and attribute information. SAML enables single sign-on by allowing users to authenticate at an identity provider and then access service providers without additional authentication. assertion from the IdP. Click the Select Certificate drop-down list and select the Identity Provider (IdP) certificate to use for single sign-on.

8. (Optional) If the Force Authentication option is enabled based on the IdP configuration, then it will always re-authenticate the user, even if the user already has an active session. This setting is disabled by default.

SAML Identity Provider (IdP) Configuration

To configure single sign-on identity provider settings for Web Login pages or add SAML Security Assertion Markup Language. SAML is an XML-based framework for communicating user authentication, entitlement, and attribute information. SAML enables single sign-on by allowing users to authenticate at an identity provider and then access service providers without additional authentication. service provider metadata:

1. Navigate to Configuration > Identity > Single Sign-On.

2. Select the SAML IdP Configuration tab.

Figure 1  Configuring Single Sign-On > Identity Provider Parameters

3. To configure a Identity Provider (IdP) Signing Certificate and/or Identity Provider (IdP) certificate for Web Logins, Click the Add Web Login Configuration link at the right side of the table. The Add Web Login Configuration window opens.

Figure 2  Web Web Login Configuration & Metadata > Add Web Login Certificate

4. Click the Page Name menu to select the Web Login page to which you want to add signing or encryption certificate data. Note that the name of this field was changed to Page Name in Policy ManagerPolicy Manager 6.10.3. In Policy Manager 6.10.2 and earlier releases, this is the Page field.

The value in the Page Name field must match the value in the Page Name field in ClearPass Guest at Guest > Configuration > Pages > Web Logins. For example, if the value “page_name_123” is provided for Page Name in Guest’s Web Login Editor, then the value “page_name_123” must also be entered in Policy Manager’s Web Login Configuration.

If a value for Page Name is not specified (field is empty) in ClearPass Guest’s Web Login Editor, then the value for Page Name fieln must match the page ID of the web login page’s URL Uniform Resource Locator. URL is a global address used for locating web resources on the Internet.. For example, if the Page Name field in Guest’s Web Login Editor is empty, then the value in the Page Name field in Policy Manager’s Web Login Configuration must match just the ID part of the default URL Uniform Resource Locator. URL is a global address used for locating web resources on the Internet. that is automatically generated for the web login page. In the default URL Uniform Resource Locator. URL is a global address used for locating web resources on the Internet. https://10.21.11.100/guest/weblogin.php/2?_browser=1, the ID is the number “2” immediately following “weblogin.php/”, so you would enter 2 in the Page Name field on the Add Web Login Configuration form.

5. Click the Signing Certificate drop-down menu to select a certificate to sign the SAML Security Assertion Markup Language. SAML is an XML-based framework for communicating user authentication, entitlement, and attribute information. SAML enables single sign-on by allowing users to authenticate at an identity provider and then access service providers without additional authentication. response from the IdP. This field is required. When you select a certificate, the page displays the following information about the certificate, if available:

Subject DN Distinguished Name. A series of fields in a digital certificate that, taken together, constitute the unique identity of the person or device that owns the digital certificate. Common fields in a DN include country, state, locality, organization, organizational unit, and the “common name”, which is the primary name used to identify the certificate.

Issuer DN Distinguished Name. A series of fields in a digital certificate that, taken together, constitute the unique identity of the person or device that owns the digital certificate. Common fields in a DN include country, state, locality, organization, organizational unit, and the “common name”, which is the primary name used to identify the certificate.

Issue Date/Time

Expiry Date/Time

Validity Status

Serial Number

6. Optionally, click the Encryption Certificate drop-down menu to select a certificate to encrypt the SAML Security Assertion Markup Language. SAML is an XML-based framework for communicating user authentication, entitlement, and attribute information. SAML enables single sign-on by allowing users to authenticate at an identity provider and then access service providers without additional authentication. response from the IdP.

7. If you upload metadata for SAML Security Assertion Markup Language. SAML is an XML-based framework for communicating user authentication, entitlement, and attribute information. SAML enables single sign-on by allowing users to authenticate at an identity provider and then access service providers without additional authentication. service providers, Policy Manager can upload the service provider (SP) metadata for validation during the single-sign on process.

a. Click Add SP Metadata. The Upload SP Metadata dialog opens.

b. In the Name field, enter the name of the service provider.

c. In the Metadata field, click Choose File and browse to the service provider metadata file. Once you have selected the file, click Upload.

Figure 3  Service Provider SP Metadata