User Management-Operator

The User Management feature allows you to manage users, their roles, service permissions (formerly known as Role Customization), and authentication.

As an Operator, you can access this feature from the Operator portal, by navigating to Administration > User Management . The following screen is displayed:

The User Management window displays four tabs: Users, Roles, Service Permissions, and Authentication.

For more information on each of these tabs, see:

Users

As an Operator, you can view the list of existing users and their corresponding details. You can add, modify, or delete a user. However, you cannot modify or delete an Operator Superuser. An Operator Superuser can create new Operator users with different role privileges and configure API tokens for each Operator user.

To access the Users tab:

In the Operator portal, select Administration from the top menu.
From the left menu, select User Management. The Users tab is displayed by default.

Figure 2. Users-Operator

On the Users screen, you can configure the following:

Table 1. Users Option Descriptions
Option	Description
New User	Creates a new Operator user. For additional information, see Add New User.
Modify	Allows you to modify the properties of the selected Operator user. You can also select the link to the username to modify the properties. You can change the Activation State of the selected Operator user. Only an Operator Superuser can manage API tokens. For more information, see API Tokens.
Password Reset	Sends an email to the selected user with a link to reset the password. You can also choose to freeze the account until the password is reset.
Delete	Deletes the selected user. You cannot delete the default users.
More	Select this option, and then select Download to download the details of all the users into a file in CSV format.

The following additional options are available in the Users tab:

Table 2. User additional Option Descriptions
Option	Description
Search	Enter a search term to search for the matching text across the table. Use the advanced search option to narrow down the search results.
Columns	Select and select the columns to be displayed or hidden on the page.
Refresh	Select to refresh the page to display the most current data.

Add New User

In the Operator portal, you can add new users and configure the user settings. Only Operator Superusers and Operator Standard Admins can add a new user. To add a new user, perform the following steps:

In the Operator portal, select Administration from the top menu.
From the left menu, select User Management. The Users tab is displayed by default.
Select New User. The following screen appears:

Figure 3. Add New User

Enter the following details for the new user:

Table 3. New User Option Descriptions
Option	Description
General Information	Enter the required personal details of the user.
Role	Select a role that you want to assign to the user. For information on roles, see Roles.
Edge Access	Ensure that you have Operator Superuser role to modify the Access Level for the user. Choose one of the following options: Basic: Allows you to perform certain basic debug operations such as ping, tcpdump, PCAP, remote diagnostics, and so on. Privileged: Grants you the root-level access to perform all basic debug operations along with Edge actions such as restart, deactivate, reboot, hard reset, and shutdown. In addition, you can access Linux shell. The default value is Basic. Note: Only Operator Superusers can modify the default value to Privileged.

Note: The Next button is activated only when you enter all the mandatory details in each section.

Select the Add another user check box if you wish to create another user, and then select Add User.
The new user appears on the User Management > Users page.
Select the link to the user to view or modify the details.

API Tokens

You can access the Orchestrator APIs using tokens instead of session-based authentication. As an Operator Superuser, you can manage the API tokens. You can create multiple API tokens for a user.

Note: For Enterprise Read Only users and MSP Business Specialist users, token-based authentication is not activated.

By default, the API Tokens are activated. If you want to deactivate them, go to System Properties in the Operator portal, and set the value of the system property session.options.enableApiTokenAuth as False.

Note: Operator Superuser should manually delete inactive Identity Provider (IdP) users from the Orchestrator to prevent unauthorized access via API Token.

The users can create, revoke, and download the tokens based on their roles.

To manage the API tokens:

In the Operator portal, navigate to Administration > User Management > Users .
Select a user and select Modify or select the link to the username. Go to the API Tokens section.

Figure 4. API Tokens
Select New API Token.

Figure 5. New API Token
In the New Token window, enter a Name and Description for the token, and then choose the Lifetime from the drop-down menu.

Note: When the Lifetime of the token is over, the status changes to Expired.
Select Save. The new token is displayed in the API Tokens table. Initially, the status of the token is displayed as Pending. Once you download it, the status changes to Enabled.
To download the token, select the token, and then select Download API Token.
To deactivate a token, select the token, and then select Revoke API Token.
The status of the token is displayed as Revoked.
Select CSV to download the complete list of API tokens in a .csv file format.

Note: Only the user who is associated with a token can download it and after downloading, the ID of the token alone is displayed. You can download a token only once. After downloading the token, the user can send it as part of the Authorization Header of the request to access the Orchestrator API.

You can configure the following additional options available in the API Tokens section:

Table 4. API Token Option Descriptions
Option	Description
Search	Enter a search term to search for the matching text across the table. Use the advanced search option to narrow down the search results.
Columns	Select and select the columns to be displayed or hidden on the page.
Refresh	Select to refresh the page to display the most current data.

The following example shows a sample snippet of the code to access an API.

curl -k -H "Authorization: Token <Token>"
  -X POST https://vco/portal/
  -d '{ "id": 1, "jsonrpc": "2.0", "method": "enterprise/getEnterpriseUsers", "params": { "enterpriseId": 1 }}'

Similarly, you can configure additional properties and create API tokens for Partner Admins, Enterprise Customers, and Partner Customers.

Roles

Starting from the 5.1.0 release, Functional Roles are renamed as Privileges, and Composite Roles are renamed as Roles.

The Orchestrator consists of two types of roles. The roles are categorized as follows:

Privileges – Privileges are a set of roles relevant to a functionality. A privilege can be tagged to one or more services. Users require privileges to carry out business processes. For example, a Customer support role in SD-WAN is a privilege required by an SD-WAN user to carry out various support activities. Every service defines such privileges based on its supported business functionality.

Roles – The privileges from various categories can be grouped to form a role. By default, the following roles are available for an Operator user:

Table 5. Roles
Role	SD-WAN Service	Global Settings Service
Operator Standard Admin	SD-WAN Operator Admin	Global Settings Operator Admin
Operator Superuser	Full Access	Full Access
Operator Business	SD-WAN Operator Business	Global Settings Operator Business
Operator Support	SD-WAN Operator Support	Global Settings Operator Support

If required, you can customize the privileges of these roles. For additional information, see Service Permissions.

As an Operator, you can view the list of existing standard roles and their corresponding descriptions. You can add, edit, clone, or delete a new role. However, you cannot edit or delete a default role.

To access the Roles tab:

In the Operator portal, select Administration from the top menu.
From the left menu, select User Management, and then select the Roles tab. The following screen appears:

Figure 6. Roles- Operator

On the Roles screen, you can configure the following options:

Table 6. Roles Option Descriptions
Option	Description
Add Role	Creates a new custom role. For more information, see Add Role.
Edit	Allows you to edit only the custom roles. You cannot edit the default roles. Also, you cannot edit or view the settings of a Superuser.
Clone Role	Creates a new custom role, by cloning the existing settings from the selected role. You cannot clone the settings of a Superuser.
Delete Role	Deletes the selected role. You cannot delete the default roles. You can delete only custom composite roles. Ensure that you have removed all the users associated with the selected role, before deleting the role.
Download CSV	Downloads the details of the user roles into a file in CSV format.

Note: You can also access the Edit, Clone Role, and Delete Role options from the vertical ellipsis of the selected Role.

Select >> displayed before the Role link, to view more details about the selected Role, as shown below:

Figure 7. Role Details
Select the View Role link to view the privileges associated to the selected role for the following services:
- Global Settings & Administration
- SD-WAN

The following additional options are available in the Roles tab:

Table 7. Additional Roles Option Descriptions
Option	Description
Search	Enter a search term to search for the matching text across the table. Use the advanced search option to narrow down the search results.
Columns	Select and select the columns to be displayed or hidden on the page.
Refresh	Select to refresh the page to display the most current data.

Add Role

To add a new role for an Operator, perform the following steps:

In the Operator portal, select Administration from the top menu.
From the left menu, select User Management, and then select the Roles tab.
Select Add Role. The following screen appears:

Figure 8. Add Role

Enter the following details for the new custom role:

Table 8. New Custom Role Option Descriptions
Option	Description
Role Details
Role Name	Enter a name for the new role.
Role Description	Enter a description for the role.
Template	Optionally, select an existing role as template from the drop-down list. The privileges of the selected template are assigned to the new role.
Scope	Select Operator, Partner, or Customer as the scope for the new role. The new role appears in all the accounts for the selected user, as a default role. If an Operator creates a role for a Partner, it appears in the Partner's roles' list and can be edited only by an Operator and a Partner user who has the required permissions.
Role Creation: The options in this section vary depending on the selected Scope.
Global Settings & Administration	These privileges provide access to user management and global settings that are shared across all services. Choosing one of the privileges is mandatory. By default, Global Settings Operator Support is selected for the Operator scope.
SD-WAN	These privileges provide the Operator, Partner, or Enterprise Administrator with different levels of read and/or write access around SD-WAN configuration, monitoring, and diagnostics. You can optionally choose an SD-WAN privilege. The default value is No Privileges.

Select Save Changes.
The new custom role appears on the User Management > Roles page of the user, depending on the selected Scope.
Select the link to the custom role to view the settings.

Enterprise Security Admin Role

Starting from the 6.1.0 release, customization of the Enterprise Security Admin role is enhanced to separate network and security actions. This customization allows you to configure only the Firewall settings at Profile and Edge level. All other SD-WAN configurations become read-only for an Enterprise Security Admin role.

The customization of the Enterprise Security Admin role can be achieved by creating the following two service permissions:

SD-WAN Enterprise Security Admin
Global Settings Enterprise Admin

You can either create these new permissions or directly upload these permissions using JSON files. Both these methods are explained below:

Create a Permission

In the Operator portal, select Administration from the top menu.
From the left menu, select User Management, and then select the Service Permissions tab.
Select New Permission. The following screen appears:

Figure 9. Enterprise Security Admin Role

Enter the following details to create a new permission:

Table 9. New Permission Option Descriptions
Option	Description
Name	Enter an appropriate name for the permission.
Description	Enter a description. This field is optional.
Scope	Select Enterprise as the scope.
Service	Select SD-WAN service to create the SD-WAN Enterprise Security Admin service permission. Select Global Settings service to create the Global Settings Enterprise Admin service permission.
Privilege Bundle	Select an appropriate privilege bundle from the drop-down menu. The privileges are populated depending on the selected Service. Note: Operator Superuser role is not available.
Privileges	Displays the list of privileges based on the selected Privilege Bundle. You can edit only those privileges that are eligible for customization.

Select Download CSV to download the list of all privileges, their description, and associated actions, into a file in CSV format.
Select Save to save the new permission. Select Save and Apply to save and publish the permission. The new permission is displayed on the Service Permissions page.

Note: The Save and Save and Apply buttons are activated only after you modify the permissions.

Upload a Permission: You can upload a service permission by navigating to User Management > Service Permissions > More > Upload Permission .

Below are the service permissions for SD-WAN Enterprise Security Admin and Global Settings Enterprise Admin roles with the list of privileges:

SD-WAN Enterprise Security Admin

{
  "roleCustomizations": [
    {
      "forRoleId": 151,
      "addPrivileges": [
        {
          "object": "EDGE_DEVICE_DEVICE_SETTINGS",
          "action": "UPDATE",
          "isDeny": 1
        },
        {
          "object": "EDGE_DEVICE_CLOUD_SECURITY_SERVICE",
          "action": "UPDATE",
          "isDeny": 1
        },
        {
          "object": "EDGE_DEVICE_GLOBAL_IPV6_SETTINGS",
          "action": "UPDATE",
          "isDeny": 1
        },
        {
          "object": "EDGE_DEVICE_L2_SETTINGS",
          "action": "UPDATE",
          "isDeny": 1
        },
        {
          "object": "EDGE_DEVICE_WIFI_SETTINGS",
          "action": "UPDATE",
          "isDeny": 1
        },
        {
          "object": "EDGE_DEVICE_CC_FIREWALL",
          "action": "UPDATE",
          "isDeny": 1
        },
        {
          "object": "EDGE_DEVICE_HIGH_AVAILABILITY",
          "action": "UPDATE",
          "isDeny": 1
        },
        {
          "object": "EDGE_DEVICE_CONFIG_VISIBILITY_MODE",
          "action": "UPDATE",
          "isDeny": 1
        },
        {
          "object": "EDGE_DEVICE_SNMP_SETTINGS",
          "action": "UPDATE",
          "isDeny": 1
        },
        {
          "object": "EDGE_DEVICE_SECURITY_VNF",
          "action": "UPDATE",
          "isDeny": 1
        },
        {
          "object": "EDGE_DEVICE_NTP_SETTINGS",
          "action": "UPDATE",
          "isDeny": 1
        },
        {
          "object": "EDGE_DEVICE_ANALYTICS_SETTINGS",
          "action": "UPDATE",
          "isDeny": 1
        },
        {
          "object": "PROFILE_DEVICE_DEVICE_SETTINGS",
          "action": "UPDATE",
          "isDeny": 1
        },
        {
          "object": "PROFILE_DEVICE_L2_SETTINGS",
          "action": "UPDATE",
          "isDeny": 1
        },
        {
          "object": "PROFILE_DEVICE_GLOBAL_IPV6_SETTINGS",
          "action": "UPDATE",
          "isDeny": 1
        },
        {
          "object": "PROFILE_DEVICE_WIFI_SETTINGS",
          "action": "UPDATE",
          "isDeny": 1
        },
        {
          "object": "PROFILE_DEVICE_CC_FIREWALL",
          "action": "UPDATE",
          "isDeny": 1
        },
        {
          "object": "PROFILE_DEVICE_CONFIG_VISIBILITY_MODE",
          "action": "UPDATE",
          "isDeny": 1
        },
        {
          "object": "PROFILE_DEVICE_NTP_SETTINGS",
          "action": "UPDATE",
          "isDeny": 1
        },
        {
          "object": "PROFILE_DEVICE_SNMP_SETTINGS",
          "action": "UPDATE",
          "isDeny": 1
        },
        {
          "object": "EDGE_OVERVIEW",
          "action": "UPDATE",
          "isDeny": 1
        },
        {
          "object": "PROFILE",
          "action": "CREATE",
          "isDeny": 1
        },
        {
          "object": "OVERLAY_FLOW_CONTROL",
          "action": "UPDATE",
          "isDeny": 1
        },
        {
          "object": "EDGE_MANAGEMENT",
          "action": "UPDATE",
          "isDeny": 1
        }
      ],
      "removePrivileges": []
    }
  ]
}

Global Settings Enterprise Admin

{
  "roleCustomizations": [
    {
      "forRoleId": 551,
      "addPrivileges": [
        {
          "object": "SYSTEM_SETTINGS_GENERAL_INFO",
          "action": "UPDATE",
          "isDeny": 1
        }
      ],
      "removePrivileges": []
    }
  ],
  "networkId": 1
}

For additional information, see Service Permissions.

Service Permissions

Service Permissions allow you to granularly define actions (Read, Create, Update, and Delete) assigned to each Privilege (such as Cloud Security Service and Customer Segment configuration) within a Privilege Bundle.

Note:

Starting from the 5.1.0 release, Role Customization is renamed as Service Permissions.
To activate this feature, an Operator user must navigate to Global Settings > Customer Configuration > Additional Configuration > Feature Access , and then check the Role Customization check box.

Roles can be customized by changing the service permissions held by each role. You can customize both, default roles and new roles. Roles are created based on the selected default role. Operator, Partner, and Enterprise roles are defined separately. So, there are default roles for each level, such as Operator Superuser, Partner Standard Admin, and Enterprise Support.

When customizing a role, you must select both, the user level and the role. Typically, Operator roles have more privileges by default, than Partners or Enterprise Customers. When creating a user, you must assign a role to the user. Any change to that specific role's privileges is immediately applied to all users assigned to that role. Role customizations only apply to one role at a time. For example, changes to Operator Standard Admin roles do not get applied to Enterprise Standard Admin roles.

For more information, see the topic Roles.

The Service Permissions are applied to the privileges as follows:

The customizations done at the Enterprise level override the Partner or Operator level customizations.
The customizations done at the Partner level override the Operator level customizations.
Only when there are no customizations done at the Partner level or Enterprise level, the customizations made by the Operator are applied globally across all users in the Orchestrator.

Note: For information on user privileges, see the topic List of User Privileges.

To access the Service Permissions tab:

In the Operator Portal, select Administration from the top menu.
From the left menu, select User Management, and then select the Service Permissions tab. The following screen appears:

Figure 10. Service Permissions- Operator

On the Service Permissions screen, you can configure the following options:

Table 10. Service Permissions Option Descriptions
Option	Description
Service	Select a service from the drop-down menu. The available services are: All Global Settings SD-WAN Each service comprises of a set of related permissions grouped together. Custom service permissions, if any, associated with the selected service are displayed. By default, all of the custom service permissions are displayed.
New Permission	Allows you to create a new set of privileges. The newly created permission is displayed in the table. For more information, see New Permission.
Edit	Allows you to edit the settings of the selected permission. You can also select the link to the Permission Name to edit the settings.
Clone	Allows you to create a copy of the selected permission.
Publish Permission	Applies the customization available in the selected package to the existing permission. This option modifies the privileges only at the current level. If there are customizations available at the Operator level or a lower level for the same role, then the lower level takes precedence. For example, customizations defined by an Enterprise Superuser take precedence over customizations defined by an Operator Superuser.
More	Allows you to select from the following additional options: Delete: Deletes the selected permission. You cannot delete a permission if it is already in use. Note: A permission can only be deleted if it is in a draft state. The Delete option is deactivated for a published permission. If you want to delete a published permission, you must reset the permission to system default, which changes it to draft state and activates the Delete option for the permission. Download JSON: Downloads the list of permissions into a file in JSON format. Upload Permission: Allows you to upload a JSON file of a customized permission. Unpublish Permissions: Allows you to unpublish the selected permission changing it to a 'Draft' state. You can modify the permission and save it again, which changes it to "Published" state.

The table displays the following columns:

Table 11. Option Descriptions
Option	Description
Permission Name	Displays the newly created permission.
Service	Displays the service of the new permission.
Scope	Displays the scope of the new permission.
Role Associated	Displays the associated roles using the same Privilege Bundle.
Last Modified	Displays the date and time when the permission was last modified.
Published	Displays either "Published" or "Draft" depending on the state of the permission.

The following additional options are available in the Service Permissions tab:

Table 12. Service Permissions Additional Option Descriptions
Option	Description
Columns	Select and select the columns to be displayed or hidden on the page.
Refresh	Select to refresh the page to display the most current data.

Note: Service Permissions are version dependent, and a service permission created on an Orchestrator using an earlier software release will not be compatible with an Orchestrator using a later release. For example, a service permission created on an Orchestrator that is running Release 3.4.x does not work properly if the Orchestrator is upgraded to a 4.x Release. Also, a service permission created on an Orchestrator running Release 3.4.x does not work properly when the Orchestrator is upgraded to 4.x.x Release. In such cases, the user must review and recreate the service permission for the newer release to ensure proper enforcement of all roles.

New Permission

You can customize the privileges and apply them to the existing permission in the Orchestrator.

To add a new permission, perform the following steps:

In the Operator portal, select Administration from the top menu.
From the left menu, select User Management, and then select the Service Permissions tab.
Select New Permission. The following screen appears:

Figure 11. New Permission

Enter the following details to create a new permission:

Table 13. New Permission Option Descriptions
Option	Description
Name	Enter an appropriate name for the permission.
Description	Enter a description. This field is optional.
Scope	Select Operator, Partner, or Enterprise as the scope. An Operator can apply the permissions for Operators, Partners, and Customers.
Service	Select a service from the drop-down menu. The available services are: Global Settings SD-WAN
Privilege Bundle	Select a privilege bundle from the drop-down menu. The privileges are populated depending on the selected Service.
Privileges	Displays the list of privileges, in a tabular format, based on the selected Privilege Bundle.

To activate or deactivate a specific privilege, select or deselect the corresponding check box, in the Privileges table. The available check boxes are Read, Create, Update, and Delete.

Starting from the release 6.4.0, a green icon is displayed whenever a privilege is modified. This icon is displayed next to the modified check box and the privilege name.

Some privileges do not support selection of an independent action. In this case, if you select any one action check box, all the other check boxes get selected too. A tool tip is provided for such privileges. Also, the Read action check box does not allow independent selection. When selected, all the other check boxes for that particular privilege also get automatically selected.

Note: You can edit only those privileges that are eligible for customization. Operator Superuser role cannot be customized.

Slide the Show Only Modified toggle button, located at the top right of the privileges table, to view only the modified privileges.
Select Reset Privileges to reset all the changes.

Select Download CSV to download the list of all privileges, their description, and associated actions, into a file in a CSV format. You can choose from the below options:

Table 14. Privileges
Default Privileges	Downloads the original privileges ignoring all the current modifications.
Modified Privileges	Downloads only the privileges that were modified.
Current Privileges	Downloads all the current privileges.

Note: If you select Reset Privileges, and then select Download CSV, the Default Privileges and Current Privileges options, both display the same list.

Select Save to save the new permission. Select Save and Apply to save and publish the permission.

Note: The Save and Save and Apply buttons are activated only after you modify the permissions.

The new permission is displayed on the Service Permissions page. If you create another permission using the same scope and service, the privilege displays the last modified settings by default.

List of User Privileges

This section lists all the privileges available in the Operator portal.

The columns in the table indicate the following:

Allow Privilege – Do the privileges have allow access?
Deny Privilege – Do the privileges have deny access?
Customizable – Is the privilege available for customization in the Service Permissions tab?

Table 15. Available Privileges
Feature	Name of the Privilege	Description	Allow Privilege	Deny Privilege	Customizable
Manage Customers	Create Customer	Grants ability to view and manage Enterprise Customers as an Operator or a Partner	Yes	No	No
	Read Customer			No	No
	Update Customer			Yes	Yes
	Delete Customer			No	No
	Manage Customer			No	No
Manage Partners	Create Partner	Grants ability to view and manage Partners	Yes	No	No
	Read Partner
	Update Partner
	Delete Partner
	Manage Partner
Software Images	Create Software Package	Grants access to upload and assign Edge Software Images and Application Maps	Yes	Yes	Yes
	Read Software Package
	Update Software Package
	Delete Software Package
	Manage Software Package
System Properties	Create System Property	Grants access to view and manage System Properties	Yes	Yes	No
	Read System Property				Yes
	Update System Property				No
	Delete System Property				No
	Manage System Property				Yes
	Edit Restricted System Properties	Controls the ability of user to edit restricted system properties	Yes	No	No
Operator Events	Create Operator Event	Grants ability to view Operator events	Yes	Yes	Yes
	Read Operator Event
	Update Operator Event
	Delete Operator Event
	Manage Operator Event
Operator Profiles	Create Operator Profile	Grants ability to view and manage Operator profiles	Yes	Yes	Yes
	Read Operator Profile
	Update Operator Profile
	Delete Operator Profile
	Manage Operator Profile
	View Tab Operator Profile	Controls ability of the user to view and configure within the Operator profile menu	No	Yes	Yes
Operator Users	Create Operator User	Grants ability to view and manage Operator administrative users	Yes	Yes	No
	Read Operator User				Yes
	Update Operator User				No
	Delete Operator User				No
	Manage Operator User				Yes
Operator Users > API Tokens	Create Operator Token	Grants ability to view and manage the operator Authentication Tokens	Yes	No	No
	Read Operator Token
	Update Operator Token
	Delete Operator Token
	Manage Operator Token
Gateway Pools Gateways Gateway Diagnostic bundles	Create Gateway	Grants ability to view and manage Gateway pools and Gateways as an Operator or a Partner	Yes	Yes	Yes
	Read Gateway
	Update Gateway
	Delete Gateway
	Manage Gateway
	View Tab Gateway List	Controls the ability of user to view the list of Gateways	No	Yes	Yes
Gateways > New Gateway	Create Operator PKI	Grants ability to view and manage Operator level PKI configuration including Gateway certificates and certificate authority	Yes	Yes	No
Gateway > Gateway Authentication Mode	Read Operator PKI				Yes
	Update Operator PKI				No
	Manage Operator PKI				Yes
Gateway Diagnostic Bundles > Download Diagnostic Bundles	Download Gateway Diagnostics	Grants ability to download Gateway Diagnostics	No	Yes	Yes
Application Maps	Create Software Package	Grants access to upload and assign Edge software images and Application Maps	Yes	Yes	Yes
	Read Software Package
	Update Software Package
	Delete Software Package
	Manage Software Package
Service Permissions	Create Service Permissions Package	Grants access to manage Service Permissions packages	Yes	No	No
	Read Service Permissions Package
	Update Service Permissions Package
	Delete Service Permissions Package
	Manage Service Permissions Package
Edge Licensing	Create License	Grants ability to view and manage Edge licensing	Yes	No	No
	Read License			Yes	Yes
	Update License			Yes	Yes
	Delete License			No	No
	Manage License			No	No
CA Summary > Gateway Certificates > Revoke Certificate	Read Operator PKI	Grants ability to view and manage operator level PKI configuration including Gateway certificates and certificate authority	Yes	Yes	Yes
	Delete Operator PKI				No
	Manage Operator PKI				Yes
	Read Customer PKI	Grants ability to view and manage Enterprise PKI settings	Yes	No	No
	Delete Customer PKI
	Manage Customer PKI
Orchestrator Authentication > Operator Authentication	Create Operator Authentication	Grants ability to view and manage Operator authentication mode, like SSO, RADIUS, or Native	Yes	Yes	Yes
	Read Operator Authentication
	Update Operator Authentication
	Delete Operator Authentication
	Manage Operator Authentication
Orchestrator Authentication > Enterprise Authentication	Create Customer Authentication	Grants ability to view and manage Customer authentication mode, like RADIUS or Native	Yes	Yes	Yes
	Read Customer Authentication
	Update Customer Authentication
	Delete Customer Authentication
	Manage Customer Authentication
Replication	Create Replication	Grants access to view and configure Orchestrator disaster recovery	Yes	Yes	No
	Read Replication				Yes
	Update Replication				No
	Delete Replication				No
	Manage Replication				Yes
Orchestrator Diagnostics > Diagnostic Bundles	Create Orchestrator Diagnostics	Grants access to request and view Orchestrator diagnostic bundles	Yes	Yes	Yes
Orchestrator Diagnostics > Database Statistics	Read Orchestrator Diagnostics
	Update Orchestrator Diagnostics
	Delete Orchestrator Diagnostics
	Manage Orchestrator Diagnostics
Orchestrator Upgrade for Standalone	Create Software Package	Grants access to upload and assign Edge software images and Application Maps	Yes	Yes	Yes
	Read Software Package
	Update Software Package
	Delete Software Package
	Manage Software Package
Orchestrator Upgrade for DR Setup	Create Replication	Grants access to view and configure Orchestrator disaster recovery	Yes	Yes	No
	Read Replication				Yes
	Update Replication				No
	Delete Replication				No
	Manage Replication				Yes
User Agreements	Create User Agreement	Grants access to configure the customer user agreement	Yes	No	No
	Read User Agreement
	Update User Agreement
	Delete User Agreement
	Manage User Agreement
Orchestrator Owners Manage Orchestrators Edge Inventory	Create Edge Inventory	Grants ability to view and manage Edge inventory as needed for Redirect configuration	Yes	No	No
	Read Edge Inventory
	Update Edge Inventory
	Delete Edge Inventory
	Manage Edge Inventory

When the corresponding user privilege is denied, the Orchestrator window displays the 404 resource not found error.

Below table provides a list of customizable feature privileges:

Table 16. Customizable Permissions
Navigation Path in the Enterprise Portal	Name of the Tab	Name of the Privilege	Description
Configure > Edges > Select Edge	Overview	Assign Edge Profile	Grants ability to assign a Profile to Edges
Configure > Edges > > Select Edge	Firewall	Configure Edge Firewall Logging	Grants ability to configure Edge level firewall logging
Configure > Profiles > Select Profile	Firewall	Configure Profile Firewall Logging	Grants ability to configure Profile level firewall logging
Diagnostics > Remote Actions	Select Edge > Deactivate	Deactivate Edge	Grants ability to reset the device configuration to its factory default state
Global Settings > Enterprise Settings > Information Privacy Settings > SD-WAN PCI	Enforce PCI Compliance	Deny PCI Operations	Denies access to sensitive Customer data including PCAPs, etc. on the Edges and Gateways, for all users including VMware Support
Diagnostics > Diagnostic Bundles	Select Edge > Download Bundle	Download Edge Diagnostics	Grants ability to download Edge Diagnostics
Gateway Management > Diagnostic Bundles	Select Gateway > Download Bundle	Download Gateway Diagnostics	Grants ability to download Gateway Diagnostics
Configure > Profiles	Duplicate	Duplicate Customer Profile	Grants ability to edit duplicate customer level Profiles
Configure > Segments / Configure > Profiles / Configure > Edges	Segments drop-down menu	Edit Tab Segments	Grants ability to edit within the Segments tab
Configure > Edges > Select Edge	Device	Enable HA Cluster	Grants ability to configure HA Clustering
Configure > Edges > Select Edge	Device	Enable HA Active/Standby Pair	Grants ability to configure active/standby HA
Configure > Edges > Select Edge	Device	Enable HA VRRP Pair	Grants ability to configure VRRP HA
Diagnostics > Remote Diagnostics	Clear ARP Cache	Remote Clear ARP Cache	Grants ability to clear the ARP cache for a given interface
Diagnostics > Remote Diagnostics > Gateway	Cloud Traffic Routing (drop-down menu)	Remote Cloud Traffic Routing	Grants ability to route cloud traffic remotely
Diagnostics > Remote Diagnostics	DNS/DHCP Service Restart	Remote DNS/DHCP Restart	Grants ability to restart the DNS/DHCP service
Diagnostics > Remote Diagnostics	Flush Flows	Remote Flush Flows	Grants ability to flush the Flow table, causing user traffic to be re-classified
Diagnostics > Remote Diagnostics	Flush NAT	Remote Flush NAT	Grants ability to flush the NAT table
Diagnostics > Remote Diagnostics > LTE SIM Switchover	LTE Switch SIM Slot Note: This is for 610-LTE and 710 5G devices only.	Remote LTE Switch SIM Slot	Grants ability to activate the SIM Switchover feature. After the test is successful, you can check the status from Monitor > Edges > Overview tab
Diagnostics > Remote Diagnostics	List Paths	Remote List Paths	Grants ability to view the list of active paths between local WAN links and each peer
Diagnostics > Remote Diagnostics	List current IKE Child SAs	Remote List current IKE Child SAs	Grants ability to use filters to view the exact Child SAs you want to see
Diagnostics > Remote Diagnostics	List current IKE SAs	Remote List Current IKE SAs	Grants ability to use filters to view the exact SAs you want to see
Diagnostics > Remote Diagnostics	MIBs for Edge	Remote MIBS for Edge	Grants ability to dump Edge MIBs
Diagnostics > Remote Diagnostics	NAT Table Dump	Remote NAT Table Dump	Grants ability to view the contents of the NAT table
Diagnostics > Remote Diagnostics	Select Edge > Rebalance Hub Cluster	Remote Rebalance Hub Cluster	Grants ability to either redistribute Spokes in Hub Cluster or redistribute Spokes excluding this Hub
Diagnostics > Remote Diagnostics	Select Edge (with SFP module) > Reset SFP Firmware Configuration	Remote Reset SFP Firmware Configuration	Grants ability to reset the SFP Firmware Configuration
Diagnostics > Remote Actions	Reset USB Modem	Remote Reset USB Modem	Grants ability to execute the Edge USB modem reset remote action
Diagnostics > Remote Diagnostics	Scan for Wi-Fi Access Points	Remote Scan for Wi-Fi Access Points	Grants ability to scan the Wi-Fi functionality for the VeloCloud Edge
Diagnostics > Remote Diagnostics	System Information	Remote System Information	Grants ability to view system information such as system load, recent WAN stability statistics, monitoring services
Diagnostics > Remote Diagnostics	VPN Test	Remote VPN Test	Grants ability to execute the Edge VPN test remote action
Diagnostics > Remote Diagnostics	WAN Link Bandwidth Test	Remote WAN link Bandwidth Test	Grants ability to re-test the bandwidth of a WAN link
Diagnostics > Remote Actions	Select Edge > Shutdown	Shutdown Edge	Grants ability to execute the Edge shutdown remote action
Service Settings > Alerts & Notifications	Notifications > Email/SMS	Update Customer SMS Alert	Grants ability to configure SMS alerts at the customer level
Monitor > Edges > Select Edge	Top Sources	View Edge Sources	Grants ability to view Monitor Edge Sources tab
Monitor > Firewall	Firewall Logging	View Firewall Logs	Grants ability to view collected firewall logs
Monitor > Edges > Select Edge	Top Sources	View Flow Stats	Grants ability to view collected flow statistics
Monitor > Firewall Logs	Firewall Logs	View Profile Firewall Logging	Grants ability to view the details of firewall logs originating from VMware VeloCloud Edges
Configure > Profiles	Firewall	View Stateful Firewall	Grants ability to view collected flow statistics
Configure > Profiles	Firewall tab > Configure Firewall > Syslog Forwarding	View Syslog Forwarding	Grants ability to view logs that are forwarded to a configured syslog collector
Operator portal > Gateway Management	Gateways	View Tab Gateway List	Grants ability to view the Gateway list tab
Operator portal > Administration	Operator Profiles	View Tab Operator Profile	Grants ability to view and configure settings within the Operator Profile menu tab
Monitor > Edges > Select Edge	Top Sources	View User Identifiable Flow Stats	Grants ability to view potentially user identifiable flow source attributes

Authentication

The Authentication feature allows you to set the authentication modes for both, Operators and Enterprise users. You can also view the existing API tokens.

To access the Authentication tab:

In the Operator portal, select Administration from the top menu.
From the left menu, select User Management, and then select the Authentication tab. The following screen appears:

Figure 12. Authentication- Operator

The various sections in the Authentication tab are explained below:

API Tokens

You can access the Orchestrator APIs using token-based authentication, irrespective of the authentication mode. Operator Administrators with right permissions can view the API tokens issued to Orchestrator users, including tokens issued to the Partner and Customer users. If required, an Operator Administrator can revoke the API tokens.

By default, the API Tokens are activated. If you want to deactivate them, go to Orchestrator > System Properties , and set the value of the system property session.options.enableApiTokenAuth as False.

Note: An Operator Super User should manually delete inactive Identity Provider (IdP) users from the Orchestrator to prevent unauthorized access via API Token.

You can configure the following options:

Table 17. API Token Option Descriptions
Option	Description
Search	Enter a search term to search for the matching text across the table. Use the advanced search option to narrow down the search results.
Revoke API Token	Select the token and select this option to revoke it. Only an Operator Super User or the user associated with an API token can revoke the token.
CSV	Select this option to download the complete list of API tokens in a .csv file format.
Columns	Select and select the columns to be displayed or hidden on the page.
Refresh	Select to refresh the page to display the most current data.

As an Operator Super User, you can manage the API tokens for Enterprise users. For information on creating and downloading API tokens, see API Tokens.

Operator Authentication / Enterprise Authentication

Select one of the following Authentication modes: Local, Single Sign-On, or Radius.

Local: This is the default option and does not require any additional configuration.

Single Sign-On: Operator users with Superuser permission can set up and configure Single Sign On (SSO) in Orchestrator. Single Sign-On (SSO) is a session and user authentication service that allows users to log in to multiple applications and websites with one set of credentials. Integrating an SSO service with Orchestrator enables the Orchestrator to authenticate users from an OpenID Connect (OIDC)-based Identity Providers (IdPs).

Note:

Beginning in Release 6.1.0, the Orchestrator is capable of having multiple IdPs configured so that a Partner on their Dedicated Orchestrator can configure an IdP independently of the VMware VeloCloud SD-WAN TechOPS team. As a result the Partner with Operator level access can log into their Dedicated Orchestrator with an integrated Single Sign-On service.

Pre-requisites:

Ensure that you have the Operator Superuser permission.
Before setting up the SSO authentication in Orchestrator, make sure that you have set up Users, Service Permissions, and OpenID connect (OIDC) application for Orchestrator in your preferred identity provider’s website.

Note:

Single Sign-On mode is available only for Operator Authentication in the Operator portal.
Token-based authentication is deactivated for SSO users.

To enable Single Sign On (SSO) for Orchestrator, you must enter the Orchestrator application details into the Identity Provider (IdP). Select each of the following links for step-by-step instructions to configure the following supported IdPs:

The Operator Authentication screen for Single Sign-On with Optional Multiple IdPs

With the new Multiple IdP feature in Release 6.1.0, the Single Sign-On screen changes from displaying one configuration screen for one Single Sign On account to displaying a table where multiple IdPs can be configured and tracked.

With this new format, a Superuser Operator must select + NEW IDP to add an IdP. Only then will the Single Sign-On Setup screen appear for configuring that particular IdP.

The workflow for configuring a Single Sign-On changes slightly with a user seeing two screens.

Once you are on the Single Sign-On Setup screen, you can configure the following options when you select the Authentication Mode as Single Sign-on.

Table 18. Single Sign-On Setup Option Description
Option	Description
Identity Provider Template	From the drop-down menu, select your preferred Identity Provider (IdP) that you have configured for Single Sign On. This pre-populates fields specific to your IdP.
OIDC well-known config URL	Enter the OpenID Connect (OIDC) configuration URL for your IdP. For example, the URL format for Okta will be: https://{oauth-provider-url}/.well-known/openid-configuration.
Issuer	This field is auto-populated based on your selected IdP.
Authorization Endpoint	This field is auto-populated based on your selected IdP.
Token Endpoint	This field is auto-populated based on your selected IdP.
JSON Web KeySet URI	This field is auto-populated based on your selected IdP.
User Information Endpoint	This field is auto-populated based on your selected IdP.
Client ID	Enter the client identifier provided by your IdP.
Client Secret	Enter the client secret code provided by your IdP, that is used by the client to exchange an authorization code for a token.
Scopes	This field is auto-populated based on your selected IdP.

Once the Single Sign-On Setup is complete, the Operator needs to configure the Role Setup section.

Figure 16. Role Setup- Use Identity Provider Roles (Default)

Once you are on the Role Setup screen, you can configure the following options.


Role Type	Select one of the following two options: Use default role Use identity provider roles
Allow Super User	This option is for the Partner adding a second IdP. Unchecked this option as a Partner cannot have a Super User role on a Dedicated Orchestrator managed by VMware VeloCloud. In addition, remove the Super User role on the Use identity provider roles screen.
Role Attribute	Enter the name of the attribute set in the IdP to return roles.
Operator Role Map	Map the IdP-provided roles to each of the Operator user roles.

CAUTION: If configuring a second IdP for a Partner on an Orchestrator hosted by VeloCloud (Dedicated Orchestrator), the configuration must not include an Operator Superuser role.

Role Setup for a Partner-added second IdP where the Allow Super User check box is unchecked: This screen also shows that if you enter Operator Superuser as a default role, the Orchestrator displays an error when that box is unchecked. The Default Role should be Operator Standard Admin for Partner Operator users.

Role Setup for a Partner-added second IdP where the Operator Superuser role must be removed.

Figure 18. Removing Operator Superuser role

The Operator user can also test the configuration for a particular Single Sign-On/IdP configuration, by selecting the Test Configuration option

Successful SSO Configuration Test: The "Partial Success" message only indicates this configuration does not have a refresh token configured. It is still a valid configuration.

Logging in as a Partner with an Operator Role using your own IdP: A partner with an IdP configured can login to their Orchestrator by pulling up a browser and entering in the usual URL except they would add /operator to that URL. This pulls up the Operator login screen and includes a button SIGN IN WITH YOUR IDENTITY PROVIDER. On an Orchestrator with just one SSO IdP configured, selecting that button logs them in assuming the Operator user has the proper IdP credentials.

The Operator login screen has '/operator' in the URL and includes the 'Sign In With Your Identity Provider' button. Select this button to move on to the SSO screen.

On an Orchestrator with multiple IdPs configured, selecting that button takes you to a new screen for SSO sign-in. This is where the Partner Operator would enter in the Domain Name configured for the IdP. Once entered, select Sign In and you will be logged into the Orchestrator.

Where there are multiple IdPs configured, all users including the Partner are moved to this screen. The URL includes the text string domainFinder, but where it reads Organization Domain, you actually enter your 'Domain Name' for the IdP as configured earlier.

Note: An easier method for a Partner using their own IdP is to bookmark the following their Orchestrator URL with this format: https://orchestrator hostname or IP address/ui/operator/login?domain=IdP Domain Name. This will automatically take you to the login screen and prepopulate the IdP Domain Name. For example for an Orchestrator with hostname vco11-usor1.velocloud.net where the IdP Domain Name is Acme, the Partner Operator could bookmark: https://vco11-usor1.velocloud.net/ui/operator/login?domain=Acme and when they selected that bookmark, the browser would still go to the Operator login screen. The difference is that now when they select SIGN IN WITH YOUR IDENTITY PROVIDER, the user is immediately logged in the Orchestrator with no extra step, as the domain is already provided in the URL.

For all configurations of an IdP, select Update to save the entered values. The SSO authentication setup is complete in the SD-WAN Orchestrator.

RADIUS: Remote Authentication Dial-In User Service (RADIUS) is a client-server protocol that enables remote access servers to communicate with a central server. RADIUS authentication provides a centralized management for users. You can configure the Orchestrator Authentication in RADIUS mode, so that the Operator and Enterprise Customers log into the portals using the RADIUS servers. Enter appropriate details in the following fields:

Figure 23. Radius Authentication Mode
- You can edit the Protocol value only in the System Properties. Navigate to Orchestrator > System Properties , and edit the protocol in the Value field of the system property vco.operator.authentication.radius.
- Operator Domain field is available only for Operators.
- In the Operator Role Map / Enterprise Role Map section, map the RADIUS server attributes to each of the Operator or Enterprise user roles. This role mapping is used to determine the role the users would be assigned when they login to the Orchestrator using the RADIUS server for the first time.
- Select Update to save the entered values.

SSH Keys

You can create only one SSH Key per user. Select the User Information icon located at the top right of the screen, and then select My Account > SSH Keys to create an SSH Key.

As an Operator, you can also revoke an SSH Key.

Select the Refresh option to refresh the section to display the most current data.

For additional information, see Configure User Account Details.

Session Limits

Note: To view this section, an Operator user must navigate to Orchestrator > System Properties , and set the value of the system property session.options.enableSessionTracking to True.

The following are the options available in this section:

Table 19. Session Limits Option Descriptions
Option	Description
Concurrent logins	Allows you to set a limit on concurrent logins per user. By default, Unlimited is selected, indicating that unlimited concurrent logins are allowed for the user.
Session limits for each role	Allows you to set a limit on the number of concurrent sessions based on user role. By default, Unlimited is selected, indicating that unlimited sessions are allowed for the role. Note: The roles that are already created by the Operator in the Roles tab, are displayed in this section.

Select Update to save the selected values.

Configure Azure Active Directory for Single Sign On

Ensure you have an Azure AD account to sign in.

To set up an OpenID Connect (OIDC)-based application in Microsoft Azure Active Directory (Azure AD) for Single Sign On (SSO), perform the following steps.

Log in to your Microsoft Azure account as an Admin user. The Microsoft Azure home screen appears.
To create a new application, search and select the Azure Active Directory service.

Figure 24. Microsoft Azure
Go to App registration > New registration . The Register an application screen appears.

Figure 25. Register an Application
In the Name field, enter the name for your Orchestrator application.
In the Redirect URL field, enter the redirect URL that your Orchestrator application uses as the callback endpoint.

In the Orchestrator application, at the bottom of the Configure Authentication screen, you can find the redirect URL link. Ideally, the Orchestrator redirect URL has this format: https://<Orchestrator URL>/login/ssologin/openidCallback.
Select Register.Your Orchestrator application registers and displays in the All applications and Owned applications tabs. Make sure to note down the Client ID/Application ID to be used during the SSO configuration in Orchestrator.
Select Endpoints and copy the well-known OIDC configuration URL to be used during the SSO configuration in Orchestrator.
To create a client secret for your Orchestrator application, on the Owned applications tab, select on your Orchestrator application.
Go to Certificates & secrets > New client secret . The Add a client secret screen appears.

Figure 26. Adding a Client Secret
Provide details such as description and expiry value for the secret and select Add. The client secret is created for the application. Note down the new client secret value to be used during the SSO configuration in Orchestrator.
To configure permissions for your Orchestrator application, select on your Orchestrator application and go to API permissions > Add a permission . The Request API permissions screen appears.

Figure 27. Adding API Permissions
Select Microsoft Graph and select Application permissions as the type of permission for your application
Under Select permissions, from the Directory drop-down menu, select Directory.Read.All and from the User drop-down menu, select User.Read.All.
Select Add permissions.
To add and save roles in the manifest, select on your Orchestrator application and from the application Overview screen, select Manifest. A web-based manifest editor opens, allowing you to edit the manifest within the portal. Optionally, you can select Download to edit the manifest locally, and then use Upload to reapply it to your application.

Figure 28. Viewing the Manifest

In the manifest, search for the appRoles array and add one or more role objects and select Save.

Note: The value property from appRoles must be added to the Identity Provider Role Name column of the Role Map table, located in the Authentication tab, in order to map the roles correctly.

Sample role objects

{
            "allowedMemberTypes": [
                "User"
            ],
            "description": "Standard Administrator who will have sufficient privilege to manage resource",
            "displayName": "Standard Admin",
            "id": "18fcaa1a-853f-426d-9a25-ddd7ca7145c1",
            "isEnabled": true,
            "lang": null,
            "origin": "Application",
            "value": "standard"
        },
        {
            "allowedMemberTypes": [
                "User"
            ],
            "description": "Super Admin who will have the full privilege on Orchestrator",
            "displayName": "Super Admin",
            "id": "cd1d0438-56c8-4c22-adc5-2dcfbf6dee75",
            "isEnabled": true,
            "lang": null,
            "origin": "Application",
            "value": "superuser"
        }

Note: Make sure to set id to a newly generated Global Unique Identifier (GUID) value. You can generate GUIDs online using web-based tools (for example, https://www.guidgen.com/), or by running the following commands:

Linux/OSX- uuidgen
Windows- powershell [guid]::NewGuid()

Roles are manually set up in the Orchestrator, and must match the ones configured in the Microsoft Azure portal.

Use the following steps to assign groups and users to your Orchestrator application:
1. Go to Azure Active Directory > Enterprise applications .
2. Search and select your Orchestrator application.
3. Select Users and groups and assign users and groups to the application.
4. Select Submit.
You have completed setting up an OIDC-based application in Azure AD for SSO.

Configure Okta for Single Sign On

To support OpenID Connect (OIDC)-based Single Sign On (SSO) from Okta, you must first set up an application in Okta. To set up an OIDC-based application in Okta for SSO, perform the steps on this procedure.

Ensure you have an Okta account to sign in.

Log in to your Okta account as an Admin user. The Okta home screen appears.

Note: If you are in the Developer Console view, then you must switch to the Classic UI view by selecting Classic UI from the Developer Console list.
To create a new application, select Applications > Add Application . The Add Application screen displays.

Figure 31. Adding an Application to Okta
Select Create New App. The Create a New Application Integration dialog box appears.
From the Platform menu, select Web.
Select OpenID Connect as the Sign on method and select Create. The Create OpenID Connect Integration screen appears.

Figure 32. Creating an OpenID Connect Integration
Under the General Settings area, in the Application name text box, enter the name for your application.
Under the CONFIGURE OPENID CONNECT area, in the Login redirect URIs text box, enter the redirect URL that your Orchestrator application uses as the callback endpoint. In the Orchestrator application, at the bottom of the Configure Authentication screen, you can find the redirect URL link. Ideally, the Orchestrator redirect URL has this format: https://<Orchestrator URL>/login/ssologin/openidCallback.
Select Save. The newly created application page appears.
On the General tab, select Edit and select Refresh Token for Allowed grant types, and select Save. Note down the Client Credentials (Client ID and Client Secret) to be used during the SSO configuration in Orchestrator.

Figure 33. Configuring General Settings
Select the Sign On tab and under the OpenID Connect ID Token area, select Edit
From the Groups claim type drop-down menu, select Expression. By default, Groups claim type is set to Filter.
In the Groups claim expression field, enter the claim name to use in the token, and an Okta input expression statement that evaluates the token.
Select Save. The application is setup in IDP. You can assign user groups and users to your Orchestrator application.

Figure 34. Configuring Settings
To assign groups and users to your Orchestrator application, go to Application > Applications and select on your Orchestrator application link.
On the Assignments tab, from the Assign menu, select Assign to Groups or Assign to People. The Assign <Application Name> to Groups or Assign <Application Name> to People dialog box appears.
Select Assign next to available user groups or users you want to assign the Orchestrator application and select Done. The users or user groups assigned to the Orchestrator application displays.

Figure 35. Assigning the Configuration

You have completed setting up an OIDC-based application in Okta for SSO.

Configuring OneLogin for Single Sign On

To set up an OpenID Connect (OIDC)-based application in OneLogin for Single Sign On (SSO), perform the steps below:

Ensure you have an OneLogin account to sign in.

Log in to your OneLogin account as an Admin user. The OneLogin home screen appears.
In the upper navigation bar, select Apps > Add Apps .
In the Find Applications text box, search for “OpenId Connect” or “oidc” and then select the OpenId Connect (OIDC) app. The Add OpenId Connect (OIDC) screen appears.

Figure 36. Add OpenID Connect
In the Display Name text box, enter the name for your application and select Save.
On the Configuration tab, enter the Login URL (auto-login URL for SSO) and the Redirect URI that Orchestrator uses as the callback endpoint, and select Save.
- Login URL- The login URL will be in this format: https://<Orchestrator URL>/<Domain>/ login/doEnterpriseSsoLogin. Where, Domain is the domain name of your Enterprise that you must have already set up to enable SSO authentication for the Orchestrator. You can get the Domain name from the Enterprise > Administration > System Settings page.
- Redirect URI's- The Orchestrator redirect URL will be in this format: https://<Orchestrator URL>/login/ssologin/openidCallback. In the Orchestrator application, at the bottom of the Authentication screen, you can find the redirect URL link.
Figure 37. Configuring OpenID Connect
On the Parameters tab, under OpenId Connect (OIDC), double select Groups. The Edit Field Groups pop-up appears.

Figure 38. Editing Field Groups
Configure User Roles with value “-No transform-(Single value output)” to be sent in groups attribute and select Save.
On the SSO tab, from the Application Type drop-down menu, select Web.
From the Authentication Method menu, select POST as the Token Endpoint and select Save.

Also, note down the Client Credentials (Client ID and Client Secret) to be used during the SSO configuration in Orchestrator.

Figure 39. Configuring the Authentication Method
On the Access tab, choose the roles allowed to login and select Save.

Figure 40. Access
To add roles and users to your Orchestrator application, select Users > Users and select a user.
On the Application tab, from the Roles drop-down menu, on the left, select a role to be mapped to the user
Select Save Users.

You have completed setting up an OIDC-based application in OneLogin for SSO.

Configure Single Sign On in Orchestrator.

Configuring PingIdentity for Single Sign On

To set up an OpenID Connect (OIDC)-based application in PingIdentity for Single Sign On (SSO), perform the steps on this procedure.

Ensure you have a PingOne account to sign in.

Note: Currently, Orchestrator supports PingOne as the Identity Partner (IDP). However, any PingIdentity product supporting OIDC can be configured.

Log in to your PingOne account as an Admin user. The PingOne home screen appears.
In the upper navigation bar, select Applications.

Figure 41. My Applications
On the My Applications tab, select OIDC and then select Add Application. The Add OIDC Application window appears.

Figure 42. Adding an OIDC Application
Provide basic details such as name, short description, and category for the application and select Next.
Under AUTHORIZATION SETTINGS, select Authorization Code as the allowed grant types and select Next.
Also, note down the Discovery URL and Client Credentials (Client ID and Client Secret) to be used during the SSO configuration in Orchestrator.
Under SSO FLOW AND AUTHENTICATION SETTINGS, provide valid values for Start SSO URL and Redirect URL and select Next.
In the Orchestrator application, at the bottom of the Configure Authentication screen, you can find the redirect URL link. Ideally, the Orchestrator redirect URL has this format: https://<Orchestrator URL>/login/ssologin/openidCallback. The Start SSO URL has this format: https://<Orchestrator URL>/<domain name>/login/doEnterpriseSsoLogin.
Under DEFAULT USER PROFILE ATTRIBUTE CONTRACT, select Add Attribute to add additional user profile attributes.
In the Attribute Name text box, enter group_membership and then select the Required checkbox, and select Next.

Note: The group_membership attribute is required to retrieve roles from PingOne.
Under CONNECT SCOPES, select the scopes that can be requested for your Orchestrator application during authentication and select Next.
Under Attribute Mapping, map your identity repository attributes to the claims available to your Orchestrator application.

Note: The minimum required mappings for the integration to work are email, given_name, family_name, phone_number, sub, and group_membership (mapped to memberOf).
Under Group Access, select all user groups that should have access to your Orchestrator application and select Done. The application will be added to your account and will be available in the My Application screen.
You have completed setting up an OIDC-based application in PingOne for SSO.

VeloCloud SD-WAN 6.4 - Operator Guide

User Management-Operator

Users

Add New User

API Tokens

Roles

Add Role

Enterprise Security Admin Role

Service Permissions

New Permission

List of User Privileges

Authentication

API Tokens

Operator Authentication / Enterprise Authentication

SSH Keys

Session Limits

Configure Azure Active Directory for Single Sign On

Configure Okta for Single Sign On

Configuring OneLogin for Single Sign On

Configuring PingIdentity for Single Sign On