Link Search Menu Expand Document

Remote Authentication

Orchestrator > Orchestrator Server > Users & Authentication > Authentication

img

Use the Remote Authentication dialog box to manage different remote authentication methods for Orchestrator users.

  • To add a new remote authentication method, click +Add New Server.
  • To view or modify the settings for an existing remote authentication method, click the Edit icon in the row of the existing method.

Orchestrator supports the following for remote authentication:

  • RADIUS
  • TACACS+
  • OAuth
  • JWT
  • SAML

Configure a RADIUS or TACACS+ Server

You need to configure the following when adding or modifying a RADIUS or TACACS+ server:

FieldDescription
Read-Write PrivilegeRADIUS only: Lowest value at which a user has Read-Write privileges. This value must be the same as the value configured on the RADIUS server.
Read-Only PrivilegeRADIUS only: Lowest value at which a user has Read-Only privileges. This value must be the same as the value configured on the RADIUS server.
Authentication TypeSelect the authentication type that matches what is configured on the RADIUS or TACACS+ server.
Default RoleIf RBAC is enabled, you must specify a default role.
Primary/Secondary ServerFor each server in use, enter the IP address or hostname, port, and secret key of the RADIUS or TACACS+ server.

Authenticate Using RADIUS or TACACS+

  1. Select the access control protocol you want to use.

  2. Under Servers, enter the information for a Primary server of that type. Entering a Secondary server is optional.

    FieldDescription
    Authentication OrderWhether to use the remote map or the local map first. The default is Remote first.
    Primary/Secondary ServerIP address or hostname of the RADIUS or TACACS+ server.
    Secret KeyString defined as the shared secret on the server.
    Read-Write PrivilegeLowest value at which a user has Read-Write privileges. This value must be the same as the value configured on the RADIUS server.
    Read-Only PrivilegeLowest value at which a user has Read-Only privileges. This value must be the same as the value configured on the RADIUS server.
    Authentication TypeWhen configuring to use the TACACS+ server, select the type from the drop-down list that matches what is configured on the TACACS+ server.

Configure an OAuth Server

Orchestrator supports remote authentication via the OAuth 2.0 framework. Before configuring an OAuth server in Orchestrator, you must register Orchestrator as an application with your OAuth provider.

Prerequisites

  • The OAuth server must support OAuth 2.0 authorization codes, ID tokens, and (optionally) refresh tokens.
  • The ID token is used to get username, RBAC roles, and RBAC appliance access groups.
  • The refresh token can be checked periodically to ensure that the user is still authorized.
  • Depending on the OAuth server configuration, refresh tokens can be permanent or they can expire. If a token is revoked or expires, the user is forced to authenticate again.

Register Orchestrator as an App

Before adding an OAuth server in Orchestrator, register a new app on your OAuth server for Orchestrator. Provide the following details when registering the app:

Application TypeRegister Orchestrator as a Web App
Allowed Grant TypesAuthorization code (required)

Refresh token (optional)
Redirect URLOrchestrator endpoint to which the user is redirected after successful authentication, which should be https://**/gms/rest/authentication/oauth/redirect

Configure OAuth Server Properties in Orchestrator

When adding a new OAuth server or modifying an existing server, configure the following fields in the Remote Authentication Server dialog box:

FieldDescription
NameName to identify the server. This name is displayed on a button on the Orchestrator login page as an alternative method of authentication.
Client IDClient ID for the Orchestrator application that you created in your OAuth provider.
Client SecretClient secret for the Orchestrator application that you created in your OAuth provider.
ScopesOAuth 2.0 uses scope values, as defined in RFC 6749, to specify which access privileges are being requested for in Access Tokens. The default scopes for Orchestrator are openid, offline_access, and email.
Authentication URLThe Issuer Identifier URL with the authentication request path appended. For example: https://**/oauth2/v1/authorize.
Token URLThe Issuer Identifier URL with the token path appended. For example: https://**/oauth2/v1/token.
Username keyThe OAuth attribute to be sent as the username. If the username is an email address, use email. If any other key is used, ensure that it is mapped to the correct scope on the OAuth server.
(Optional) Roles keyThis field can be left with the default value, sp-roles, or you can enter a new key name, but the key name must match what is configured in your OAuth provider. This is a user claim sent in the ID token that maps to Orchestrator roles defined in Role Based Access Control (RBAC). For example, the OAuth server attribute userType maps to sp-roles, and the OAuth user in Orchestrator has userType = OverlayAdmin.
(Optional) Appliance Access Group keyThis field can be left with the default value, sp-aag, or you can enter a new key name, but the key name must match what is configured in your OAuth provider. This is a user claim sent in the ID token that maps to Orchestrator Appliance Access Groups defined in RBAC. For example, the OAuth server attribute department maps to sp-aag, and the OAuth user in Orchestrator has department = Asia-Admin.
Default roleIf RBAC is enabled, you must specify a default role.

img

Configure a JWT Server

To begin JWT server configuration, the assigned admin must specify the following JWT configuration parameters:

  • Issuer ‘iss’
  • Auditor ‘aud’
  • expiration ‘exp
  • signature
  • user, role, and AAG

NOTE: See the following descriptions in the table below.

  • Redirect URL based on successful authentication: https://?access_token=&id_token=&state=&token_type=Bearer&expires_in=3596

Review the following diagram for more details about the workflow of JWT authentication.

img

Then, complete the following steps in Orchestrator:

  1. Navigate to the Authentication tab in Orchestrator.

  2. Click +Add New Server.

    The Remote Authentication Server window opens.

  3. From the Type drop-down menu, select JWT, and then complete the following fields.

    FieldDescription
    NameName of your JWT provider.
    Cert/Signing KeyHMAC or RSA public key used to verify the id_token.
    JWK URLURL that hosts the public certification.
    Validation WindowMaximum amount of time (in minutes) that the expiration is found for the id_token before a new id_token is created.
    IssuerIssuer claim found in the id_token.
    AuditorAuditor claim found in the id_token.
    Username KeyThis attribute is sent as the username. If the username is an email address, use email. If any other key is used, ensure that it is mapped to the correct scope on the OAuth server.
    Roles KeyThis field can be left with the default value, sp-roles, or you can enter a new key name, but the key name must match what is configured in your JWT provider. This is a user claim sent in the ID token that maps to Orchestrator roles defined in Role Based Access Control (RBAC). For example, the OAuth server attribute userType maps to sp-roles, and the OAuth user in Orchestrator has userType = OverlayAdmin.
    Appliance Access Group KeyThis field can be left with the default value, sp-aag, or you can enter a new key name, but the key name must match what is configured in your JWT provider. This is a user claim sent in the ID token that maps to Orchestrator Appliance Access Groups defined in RBAC. For example, the JWT server attribute department maps to sp-aag, and the JWT user in Orchestrator has department = Asia-Admin.
    Default roleIf RBAC is enabled, you must specify a default role.
    JWT token consuming URLURL of Orchestrator that remains the same.

Configure a SAML Server

Orchestrator supports SAML 2.0 integration, providing authentication and authorization of your credentials through an IdP (Identity Provider), SP (Service Provider), and a Principal. Refer to the list below for the represented meanings:

  • IdP: Okta
  • SP: Orchestrator
  • Principal: Principal end user

SAML and Orchestrator Configuration

Use the following instructions to complete SAML and Orchestrator integration.

TIP It is recommended to have Orchestrator open next to your Okta window while completing these instructions.

  1. Sign in to your Okta account.

  2. Select Add Application, and then select SAML 2.0.

  3. Click Create New App.

    img

  4. Sign in to Orchestrator and navigate to the Authentication tab (Orchestrator > Users & Authentication > Authentication).

  5. Click +Add New Server.

  6. Select SAML from the Type field.

  7. In Orchestrator, click the icon next to the ACS URL and SP SLO Endpoint fields to to copy them.

  8. Navigate back to your SAML application configuration window.

  9. Paste the ACS URL in the Single Sign On URL and Audience URL (SP Entity ID) fields.

  10. Specify the attributes and their corresponding values on the SAML Settings page. These are configured and assigned on the RBAC tab in Orchestrator.

    1. sp-name: user.email
    2. sp-role: user.usertype
    3. sp-aag: user.department
  11. Click Next.

  12. Click Finish.

  13. Click the View Setup Instructions box on the completed SAML Application Settings page and enter the following URLs in the corresponding Orchestrator fields:

    SAML FieldOrchestrator Field
    Identity Provider Single Sign-On URLSSO Endpoint
    Identity Provider IssuerIssuer URL
    X.509 CertificateIdP X.509 Cert

The following table provides more details about the fields in Orchestrator.

FieldDescription
NameAny text value for your SAML account for identification purposes.
Username AttributeRetrieves the username from the SAML XML response.
Issuer URLUnique identifier of the issuer (for example: Okta, OneLogin).
SSO EndpointUnique endpoint for the SAML application created on the IdP server.
IdPX.509 certCertificate issued by IdP to verify and validate the response received from the IdP (Okta) server.
ACS URLOrchestrator endpoint needed for configuration on the IdP server. This is provided as a redirect URL after you are authenticated on the IdP server.
(Optional) SP SLO EndpointEndpoint used by IdP to initiate the logout request from Orchestrator to the IdP server.
(Optional) IdP SLO EndpointEndpoint used by IdP to initiate the logout request from Orchestrator to the IdP server. Endpoint used by Orchestrator to initiate the logout request to IdP.
(Optional) SP X.509 Cert SLOCertificate used by IdP to verify the Single Logout request initiated by Orchestrator to logout the IdP.
(Optional) Roles AttributeThis field can be left with the default value, sp-roles, or you can enter a new key name, but the key name must match what is configured in your SAML provider. This is a claim sent to Orchestrator that maps to roles defined in Role Based Access Control (RBAC).
(Optional) Appliance Access Group keyThis field can be left with the default value, sp-aag, or you can enter a new key name, but the key name must match what is configured in your OAuth provider. This is a claim sent to Orchestrator that maps to Orchestrator Appliance Access Groups defined in RBAC.
Default roleIf RBAC is enabled, you must specify a default role.

Back to top

© Copyright 2022 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Aruba Networks and the Aruba logo are registered trademarks of Aruba Networks, Inc. Third-party trademarks mentioned are the property of their respective owners. To view the end-user software agreement, go to Aruba EULA.