AAA Providers

Authentication And Authorization (AAA) Providers create and log in to CloudVision through any provider. The OAuth and SAMLproviders are pre-configured and require additional information to create the provider.

The following sections describe procedures to configure AAA providers:

  1. Requirements
  2. Setting up an OAuth/SAML Provider in CloudVision
  3. Setting up CloudVision with Identity Provider
  4. Logging in with a Provider
  5. Adding Launchpad as a Provider

Requirements

Pre-requisites:

  • The device must have internet access.
  • To create the OAuth or SAML provider, you must be registered with and have access to the Service Provider (SP) credentials.

Perform the following steps to create and edit SAML Providers:

  1. Click on the gear icon.
    Figure 1. General Settings Screen
  2. On the General Settings page, under Features, enable SAML Providers (Beta) using the toggle button.

Setting up an OAuth and SAML Providers in CloudVision

You can setup an OAuth or SAML provider in CloudVision through the Providers screen. To open the Providers screen, click on the gear icon and navigate to Access Control > Providers. This screen lists current registered OAuth and SAML providers in corresponding tables and provides the following functionalities:
Note: The Shared Provider column lists the providers where Arista has a special account for CloudVision-as-a-Service (CVaaS).

Adding OAuth Providers

Pre-requisites:

  • Shared providers does not require the additional information like endpoint, client ID, and client secret. This functionality is not supported on-prem or on the custom providers.
  • The link at the bottom of the Add OAuth Providers window explains how the selected provider uses OAuth and where you can find the information required by the form.
  • You can use the Custom OAuth option if your provider is not listed under the Provider drop-down menu.
Perform the following steps to add an OAuth provider:
  1. Click the + Add OAuth Provider tab.
    The system opens the Add OAuth Provider screen.
    Figure 2. Add OAuth Provider Screen
  2. Select the required OAuth provider from the Provider drop-down menu.
    Figure 3. Add OAuth Provider Screen to Configure a Provider
  3. In the Endpoint field, type the provider URL where the Client ID and Client Secret are used to authorize the client.
  4. In the Client ID field, type the unique public identifier the provider assigns to the client at the time of registration.
  5. In the Client Secret field, type the unique private identifier the provider assigns to the client at the time of registration.
  6. Click Add.
    The system registers the new OAuth provider and lists it in the OAuth providers table.

Adding SAML Providers

Pre-requisites:

  • The link at the bottom of the Add SAML Providers window explains how the selected provider uses SAML and where you can find the information required by the form. The only provider that does not have this information is Launchpad.
  • You can use the Custom SAML option if your provider is not listed under the Provider drop-down menu.
Perform the following steps to add an SAML provider:
  1. Click the + Add SAML Provider tab.
    The system opens the Add SAML Provider window.
    Figure 4. Add SAML Provider Screen
  2. Select the required SAML provider from the Provider drop-down menu.
    Figure 5. Add SAML Provider Screen to Configure a Provider
  3. In the Identity Provider Issuer field, type the Issuer or Entity ID.
    Note: An Issuer or Entity ID is a URL that uniquely identifies a SAML identity provider.
  4. In the Identity Provider Metadata URL field, type the URL to fetch identity provider metadata.
  5. In the Email Attribute Name field, type the attribute name for the email ID in SAML.
  6. In the Authorization Request Binding field, select the protocol binding used for the SAML authentication request to the identity provider.
  7. Click Add.
    The system registers the new SAML provider and lists it in the SAML providers table.

Removing OAuth Providers

Perform the following steps to remove an OAuth provider:
  1. On the Providers screen, under OAuth Providers, select the redundant provider from the OAuth provider table.
    Figure 6. Removing OAuth Provider(s)
  2. Click the Remove OAuth Provider button.
    The system opens the Confirm screen.
    Figure 7. Remove OAuth Provider(s) Confirm Screen
  3. Click Remove to confirm the removal.
    The system permanently removes the OAuth provider.

Removing SAML Providers

Perform the following steps to remove an SAML provider:
  1. On the Providers screen, under SAML Providers, select the redundant provider from the SAML provider table.
    Figure 8. Removing SAML Provider(s)
  2. Click the Remove SAML Provider button.
    The system opens the Confirm screen.
    Figure 9. Remove SAML Provider(s) Confirm Screen
  3. Click Remove to confirm the removal.
    The system permanently removes the SAML provider.

Logging in with a Provider

You can use your registered providers on the CloudVision login screen to log in to cloud and on-premise CloudVision deployments. Click on the provider that has been created to log in through that provider.

Note: The login screen of the CloudVision with Cloud Deployments displays all supported providers regardless of which ones were created. Whereas, the login screen of the CloudVision with Cloud Deployments only displays providers that have been created.

Adding Launchpad as a Provider

Adding a Launchpad for CVaaS Deployments

This section applies to non-CV-CUE customers who want to use launchpad as an identity provider.

To add launchpad as a shared provider for CVaas deployments, request the list of users to be created in launchpad by emailing to wifi-cloudops-tickets@

Note:
  • For cv-dev and cv-play, use the following information to configure Launchpad in Cloudvision:

    Provider: launchpad Identity Provider Issuer: https://mojoonedemo.airtightnw.com/idp/shibboleth Identity Provider Metadata URL: https://mojoonedemo.airtightnw.com/idp/shibboleth Email Attribute Name: User.email Authorization Request Binding: HTTP-Redirect SAML protocol binding

  • For cv-staging and production, use the following information to configure Launchpad in Cloudvision:

    Provider: launchpad Identity Provider Issuer: https://login.mojonetworks.com/idp/shibboleth Identity Provider Metadata URL: https://login.wifi.arista.com/casui/idp-metadata.xml Email Attribute Name: User.email Authorization Request Binding: HTTP-Redirect SAML protocol binding

Adding a Launchpad for On-Premise Deployments

Perform the following steps to add a launchpad for on-premise deployments:

  1. Log into the tenant/cluster and get the SAML metadata from the desired cluster by going to the CLUSTER_URL/api/v1/saml_sp_metadata URL.
    Note:
  2. Email the metadata obtained in Step 1 to wifi-cloudops-tickets@ requesting to create the first user account in Launchpad and to get Launchpad configured with the SAML metadata to trust this CloudVision cluster.
    Note: Other accounts for this customer/org can be created by the first account created for this org by the cloudops team.
  3. Get the IdentityProvider Issuer URL, Identity Provider Metadata URL and the Email attribute name from Launchpad.

Adding a Launchpad for CVaaS and On-Premise Deployments

Perform the following steps to add a launchpad for CVaaS and on-premise deployments:

  1. Log in to the CVP.
  2. Click on the gear icon.
  3. On the General Settings screen, under Features, enable SAML Providers (Beta).
  4. Navigate to Access Control > Providers and click the + Add SAML Provider button.
  5. Select Launchpad (SAML) from the Provider drop-down menu.
    Figure 10. Add SAML Provider Screen to Configure Launchpad
  6. In the Identity Provider Issuer field, type the Issuer or Entity ID.
    Note: An Issuer or Entity ID is a URL that uniquely identifies a SAML identity provider.
  7. In the Identity Provider Metadata URL field, type the URL to fetch identity provider metadata.
  8. In the Email Attribute Name field, type the attribute name for the email ID in SAML.
  9. In the Authorization Request Binding field, select the protocol binding used for the SAML authentication request to the identity provider.
  10. Click Add.
  11. Under Access Control in the left pane, click Users.
    The system opens the Users screen.
    Figure 11. Users Screen
  12. On the Users screen, click + Add User.
    The system opens the Add User screen.
    Figure 12. Add User Screen
  13. Provide the required information in corresponding fields.
    Note:
    • CloudVision usernames and EOS switch usernames must match for CloudVision to manage configuration and images on the switches.
    • Type the email address which you used to sign up with Launchpad in the Email Address field.
  14. Click Add.
  15. Logout from the CVP.
  16. Login to your account via launchpad.