authentik/website/integrations/services/aruba-orchestrator/index.md

3.7 KiB

title sidebar_label
Integrate with Aruba Orchestrator Aruba Orchestrator

Aruba Orchestrator

Support level: Community

What is Aruba Orchestrator

Aruba Orchestrator is a network management platform used to centrally manage, configure, monitor, and automate Aruba network devices and services. It provides tools for network visibility, policy management, and performance monitoring, simplifying the administration of complex and distributed network environments.

-- https://www.hpe.com/us/en/aruba-edgeconnect-sd-wan.html

Preparation

The following placeholders are used in this guide:

  • arubaorchestrator.company is the FQDN of the Aruba Orchestrator install.
  • authentik.company is the FQDN of the authentik install.
  • SSL Certificate is the name of the SSL certificate used to sign outgoing responses.

authentik Configuration

  1. Log in to authentik as an admin, and go to the Admin interface.

  2. Create a new SAML Property Mapping under Customisation -> Property Mappings:

    • Name: Aruba Orchestrator RBAC
    • SAML Attribute Name: sp-roles
    • Expression: Use the expression below but amend the group name as desired.
    if ak_is_group_member(request.user, name="authentik Admins"):
              result = "superAdmin"
         return result
    
    • Save the settings.
  3. Create a new SAML Provider under Applications -> Providers using the following settings:

    • Name: Aruba Orchestrator
    • Authentication Flow: Use your preferred authentication flow (e.g., default-authentication-flow`)
    • Authorization Flow ID: default-provider-authorization-explicit-consent (Authorize Application)
    • Protocol settings:
      • ACS URL: https://arubaorchestrator.company/gms/rest/authentication/saml2/consume
      • Issuer: https://arubaorchestrator.company/gms/rest/authentication/saml2/consume
      • Service Provider Binding: Post
    • Advanced protocol settings:
      • Signing Certificate:SSL Certificate
      • Property Mappings:default + sp-roles
    • Leave everything else as default and save the settings.
  4. Download the signing certificate under Applications -> Providers -> Aruba Orchestrator .

  5. Create a new application under Applications -> Applications, pick a name and a slug, and assign the provider that you have just created.

Aruba Orchestrator Configuration

  1. Log in to the Aruba Orchestrator.
  2. Create a new Remote Authentication Server under Orchestrator -> Authentication -> Add New Server.
    • Type: SAML
    • Name: authentik
    • Username Attribute: http://schemas.goauthentik.io/2021/02/saml/username
    • Issuer URL: https://arubaorchestrator.company/gms/rest/authentication/saml2/consume
    • SSO Endpoint: https://authentik.company/application/saml/<slug>/sso/binding/init/ (replace <slug> with application slug name)
    • IdP X509 Cert: (paste in the downloaded signing certificate)
    • ACS URL: https://arubaorchestrator.company/gms/rest/authentication/saml2/consume
    • EdgeConnect SLO Endpoint: https://arubaorchestrator.company/gms/rest/authentication/saml2/logout
    • iDP SLO Endpoint: (optional)
    • EdgeConnect X.509 Cert SLO: (optional)
    • Roles Attribute: sp-roles (optional)
    • Appliance Access Group Attribute: (optional)
    • Default role: (optional)

Verification

  1. Go to https://arubaorchestrator.company.
  2. Click Log In Using authentik on the login screen and authorize with authentik.
  3. You will be redirected to the home screen of the Aruba Orchestrator.