User Management - Partner

The User Management feature allows you to manage users, their roles, service permissions (formerly known as Role Customization), and authentication.

As a Partner, you can access this feature from the Partner portal, by navigating to Administration > User Management . The following screen is displayed:

The User Management window displays four tabs: Users, Roles, Service Permissions, and Authentication.

For more information on each of these tabs, see:

Users
Roles
Service Permissions
Authentication

Users

As a Partner, you can view the list of existing users and their corresponding details. You can add, modify, or delete a user. However, you cannot delete a default user.

To access the Users tab:

Login to the Orchestrator as a Partner.
In the Partner portal, select Administration from the top menu.
From the left menu, select User Management. The Users tab is displayed by default.

Figure 2. Users- Partner

On the Users screen, you can configure the following options:

Table 1. User Option Descriptions
Option	Description
New User	Creates a new user. For more information, see Add New User.
Modify	Allows you to modify the properties of the selected Partner user. You can change the Activation State of the selected Partner user. You can also modify the user details by selecting the username link.
Delete	Deletes the selected user. You cannot delete the default users.
Download	Select this option to download the details of all the users into a file in a CSV format.
Password	Select this option and choose to either enforce the new password policy or reset the already enforced policy, for the selected user. You can modify the password policies by navigating to the Authentication tab. Note: Current user sessions are not terminated.

The following additional options are available in the Users tab:

Table 2. User Additional Option Descriptions
Option	Description
Search	Enter a search term to search for the matching text across the table. Use the advanced search option to narrow down the search results.
Show or Hide Columns	Select and select the columns to be displayed or hidden on the page.
Refresh	Select to refresh the page to display the most current data.

Add New User

In the Partner portal of the Orchestrator, you can add new users and configure the user settings. To add a new user, perform the following steps:

Login to the Orchestrator as a Partner.
In the Partner portal, select Administration from the top menu.
From the left menu, select User Management. The Users tab is displayed by default.
Select New User.

Figure 3. Add New User

Enter the following details for the new user:

Note: The Next button is activated only when you enter all the mandatory details in each section.

Table 3. New User Option Descriptions
Option	Description
General information	Enter the required personal details of the user.
Role	Select a role that you want to assign to the user. For information on roles, see Roles.
Edge Access	Choose one of the following options: Basic: Allows you to perform certain basic debug operations such as ping, tcpdump, PCAP, remote diagnostics, and so on. Privileged: Grants you the root-level access to perform all basic debug operations along with Edge actions such as restart, deactivate, reboot, hard reset, and shutdown. In addition, you can access Linux shell. The default value is Basic.

Select the Add another user check box if you wish to create another user, and then select Add User. The new user appears on the User Management > Users page.
Select the link to the user to view or modify the details. As a Partner Administrator, you can manage the Roles, Service Permissions, and API Tokens for the Partner users. For more information on API Tokens, see API Tokens.

Note: Partner Administrator should manually delete inactive Identity Provider (IdP) users from the Orchestrator to prevent unauthorized access via API Token.

API Tokens

The users can access the Orchestrator APIs using tokens instead of session-based authentication. As Partner Super User, you can manage the API tokens for your enterprise users. You can create multiple API tokens for a user.

Any user can create tokens based on the privileges they have been assigned to their user roles, except the Business Specialist users.

Users can perform the following actions, based on their roles:

Enterprise users can Create, Download, and Revoke tokens for them.
Partner Super users can manage tokens of Enterprise users, if the Enterprise user has delegated user permissions to the Partner.
Partner Super users can only create and revoke the tokens for other users.
Users can download only their own tokens and cannot download other users' tokens.

To manage the API tokens:

Login to the Orchestrator as a Partner and navigate to Administration > User Management > Users .
Select a user and select Modify or select the link to the username. Go to the API Tokens section.

Figure 4. API Tokens
Select New API Token.

Figure 5. New Token
In the New Token window, enter a Name and Description for the token, and then choose the Lifetime from the drop-down menu.
Select Save. The new token is displayed in the API Tokens table. Initially, the status of the token is displayed as Pending. Once you download it, the status changes to Enabled.
To deactivate a token, select the token, and then select Revoke API Token. The status of the token is displayed as Revoked.
Select CSV to download the complete list of API tokens in a .csv file format.

Note: Only the user who is associated with a token can download it and after downloading, the ID of the token alone is displayed. You can download a token only once. After downloading the token, the user can send it as part of the Authorization Header of the request to access the Orchestrator API.
When the Lifetime of the token is over, the status changes to Expired.

You can configure the following additional options available in the API Tokens section:

Table 4. API Tokens Option Descriptions
Option	Description
Search	Enter a search term to search for the matching text across the table. Use the advanced search option to narrow down the search results.
Columns	Select and select the columns to be displayed or hidden on the page.
Refresh	Select to refresh the page to display the most current data.

The following example shows a sample snippet of the code to access an API.

curl -k -H "Authorization: Token <Token>"
 -X POST https://vco/portal/
 -d '{ "id": 1, "jsonrpc": "2.0", "method": "enterprise/getEnterpriseUsers", "params": { "enterpriseId": 1 }}'

Roles

Starting from the 5.1.0 release, Functional Roles are renamed as Privileges, and Composite Roles are renamed as Roles.

The Orchestrator consists of two types of roles. The roles are categorized as follows:

Privileges – Privileges are a set of roles relevant to a service. A privilege can be tagged to one or more services. Users require privileges to carry out business processes. For example, a Customer support role in SD-WAN is a privilege required by an SD-WAN user to carry out various support activities. Every service defines such privileges based on its supported business functionality.

Roles – The privileges from various categories can be grouped to form a role. By default, the following roles are available for a Partner administrator:

Table 5. Roles
Role	SD-WAN Service	Global Settings Service
Partner Standard Admin	SD-WAN Partner Admin	Global Settings Partner Admin
Partner Security Admin	SD-WAN Security Partner Admin	Global Settings Partner Admin
Partner Network Admin	SD-WAN Partner Admin	Global Settings Partner Admin
Partner Superuser	Full Access	Full Access
Partner Business Specialist	SD-WAN Partner Business	Global Settings Partner Business
Partner Customer Support	SD-WAN Partner Support	Global Settings Partner Support

If required, you can customize the privileges of these roles. For additional information, see Service Permissions.

As a Partner, you can view the list of existing roles and their corresponding descriptions. You can add a new role, clone an existing role, edit or delete a custom role. You cannot edit or delete a default role.

To access the Roles tab:

Login to the Orchestrator as a Partner.
Select Administration from the top menu.
From the left menu, select User Management, and then select the Roles tab. The following screen appears:

Figure 6. Roles- Partner

On the Roles screen, you can configure the following options:

Table 6. Roles Option Descriptions
Option	Description
Add Role	Creates a new custom role. For additional information, see Add Role.
Edit	Allows you to edit only the custom roles. You cannot edit the default roles. Also, you cannot edit or view the settings of a Superuser.
Clone Role	Creates a new custom role, by cloning the existing settings from the selected role. You cannot clone the settings of a Superuser.
Delete Role	Deletes the selected role. You cannot delete the default roles. You can delete only custom composite roles. Ensure that you have removed all the users associated with the selected role, before deleting the role.
Download CSV	Downloads the details of the user roles into a file in CSV format.

Note: You can also access the Edit, Clone Role, and Delete Role options from the vertical ellipsis of the selected Role.

Select the >> displayed before the Role link, to view more details about the selected Role, as shown below:

Figure 7. Role Details
Select the View Role link to view the privileges associated to the selected role for the following services:
- Global Settings & Administration
- SD-WAN

You can configure the following additional options available in the Roles tab:

Table 7. Additional Roles Option Descriptions
Option	Description
Search	Enter a search term to search for the matching text across the table. Use the advanced search option to narrow down the search results.
Columns	Select and select the columns to be displayed or hidden on the page.
Refresh	Select to refresh the page to display the most current data.

Add Role

To add a new role for a Partner, perform the following steps:

Login to the Orchestrator as a Partner.
Select Administration from the top menu.
From the left menu, select User Management, and then select the Roles tab.
Select Add Role.

Figure 8. Add Role

Enter the following details for the new custom role:

Table 8. New Custom Role Option Descriptions
Option	Description
Role Details
Role Name	Enter a name for the new role.
Role Description	Enter a description for the role.
Template	Optionally, select an existing role as template from the drop-down list. The privileges of the selected template are assigned to the new role.
Scope	Select either Partner or Enterprise as the scope for the new role. A role with the Partner scope can be applied to Partner level Administrators for the current Partner. A role with the Enterprise scope appears in the role list for all of the Partner's Customers.
Role Creation: The options in this section vary depending on the selected Scope.
Global Settings & Administration	These privileges provide access to user management and global settings that are shared across all services. Choosing one of the privileges is mandatory. By default, Global Settings MSP Support is selected for the Partner scope. For the Enterprise scope, Global Settings Enterprise Read Only is selected by default.
SD-WAN	These privileges provide the Partner or Enterprise Administrator with different levels of read and/or write access around SD-WAN configuration, monitoring, and diagnostics. You can optionally choose an SD-WAN privilege. The default value is No Privileges.

Select Save Changes.
The new custom role appears on the User Management > Roles page of the user, depending on the selected Scope.
Select the link to the custom role to view the settings.

Service Permissions

Service Permissions allow you to granularly define actions (Read, Create, Update, and Delete) assigned to each Privilege (such as Cloud Security Service and Customer Segment configuration) within a Privilege Bundle.

Note:

Starting from the 5.1.0 release, Role Customization is renamed as Service Permissions.
Only an Operator Superuser can activate Role Customization for a Partner Superuser. If the Role Customization option is not available for you, contact your Operator.

Roles can be customized by changing the service permissions held by each role. You can customize both, default roles and new roles. Roles are created based on the selected default role. Operator, Partner, and Enterprise roles are defined separately. So, there are default roles for each level, such as Operator Superuser, Partner Standard Admin, and Enterprise Support.

When customizing a role, you must select both, the user level and the role. Typically, Operator roles have more privileges by default, than Partners or Enterprise Customers. When creating a user, you must assign a role to the user. Any change to that specific role's privileges is immediately applied to all users assigned to that role. Role customizations only apply to one role at a time. For example, changes to Operator Standard Admin roles do not get applied to Enterprise Standard Admin roles.

For additional information, see the topic Roles.

The Service Permissions are applied to the privileges as follows:

The customizations done at the Enterprise level override the Partner or Operator level customizations.
The customizations done at the Partner level override the Operator level customizations.
Only when there are no customizations done at the Partner level or Enterprise level, the customizations made by the Operator are applied globally across all users in the Orchestrator.

Note: For information on user privileges, see the topic List of User Privileges.

To access the Service Permissions tab:

Login to the Orchestrator as a Partner.
Select Administration from the top menu.
From the left menu, select User Management, and then select the Service Permissions tab. The following screen appears:

Figure 9. Service Permissions- Partner

On the Service Permissions screen, you can configure the following options:

Table 9. Service Permissions Option Descriptions
Option	Description
Service	Select the service from the drop-down menu. The available services are: All Global Settings SD-WAN Each service comprises of a set of related permissions grouped together. Custom service permissions, if any, associated with the selected service are displayed. By default, all of the custom service permissions are displayed.
New Permission	Allows you to create a new set of privileges. The newly created permission is displayed in the table. For additional information, see New Permission.
Edit	Allows you to edit the settings of the selected permission. You can also select the link to the Permission Name to edit the settings.
Clone	Allows you to create a copy of the selected permission.
Publish Permission	Applies the customization available in the selected package to the existing permission. This option modifies the privileges only at the current level. If there are customizations available at the Operator level or a lower level for the same role, then the lower level takes precedence. For example, customizations defined by an Enterprise Superuser take precedence over customizations defined by an Operator Superuser.
More	Allows you to select from the following additional options: Delete: Deletes the selected permission. You cannot delete a permission if it is already in use. Note: A permission can only be deleted if it is in a draft mode. The Delete option is deactivated for a published permission. If you want to delete a published permission, you must reset the permission to system default, which changes it to draft mode and activates the Delete option for the permission. Download JSON: Downloads the list of permissions into a file in JSON format. Upload Permission: Allows you to upload a JSON file of a customized permission. Unpublish Permissions: Allows you to unpublish the selected permission changing it to a 'Draft' state. You can modify the permission and save it again, which changes it to "Published" state.

The table displays the following columns:

Table 10. Service Permissions Column Option Descriptions
Option	Description
Permission Name	Displays the newly created permission.
Service	Displays the service of the new permission.
Scope	Displays the scope of the new permission.
Role Associated	Displays the associated roles using the same Privilege Bundle.
Last Modified	Displays the date and time when the permission was last modified.
Published	Displays either "Published" or "Draft" depending on the state of the permission.

You can configure the following additional options available in the Service Permissions tab:

Table 11. Service Permissions Additional Option Descriptions
Option	Description
Columns	Select and select the columns to be displayed or hidden on the page.
Refresh	Select to refresh the page to display the most current data.

Note: Service Permissions are version dependent, and a service permission created on an Orchestrator using an earlier software release will not be compatible with an Orchestrator using a later release. For example, a service permission created on an Orchestrator that is running Release 3.4.x does not work properly if the Orchestrator is upgraded to a 4.x Release. Also, a service permission created on an Orchestrator running Release 3.4.x does not work properly when the Orchestrator is upgraded to 4.x.x Release. In such cases, the user must review and recreate the service permission for the newer release to ensure proper enforcement of all roles.

New Permission

You can customize the privileges and apply them to the existing permission in the Orchestrator.

To add a new permission, perform the following steps:

Login to the Orchestrator as a Partner.
Select Administration from the top menu.
From the left menu, select User Management, and then select the Service Permissions tab.
Select New Permission. The following screen appears:

Figure 10. New Permission

Enter the following details to create a new permission:

Table 12. New Permission Option Descriptions
Option	Description
Name	Enter an appropriate name for the permission.
Description	Enter a description. This field is optional.
Scope	Select Partner or Enterprise as the scope. A Partner can customize the permissions for Partners and Customers.
Service	Select a service from the drop-down menu. The available services are: Global Settings SD-WAN
Privilege Bundle	Select a privilege bundle from the drop-down menu. The privileges are populated depending on the selected Service.
Privileges	Displays the list of privileges based on the selected Privilege Bundle. You can edit only those privileges that are eligible for customization.

To activate or deactivate a specific privilege, select or deselect the corresponding check box, in the Privileges table. The available check boxes are Read, Create, Update, and Delete.

Starting from the release 6.4.0, a green icon is displayed whenever a privilege is modified. This icon is displayed next to the modified check box and the privilege name.

Some privileges do not support selection of an independent action. In this case, if you select any one action check box, all the other check boxes get selected too. A tool tip is provided for such privileges. Also, the Read action check box does not allow independent selection. When selected, all the other check boxes for that particular privilege also get automatically selected.

Note: You can edit only those privileges that are eligible for customization.

Slide the Show Only Modified toggle button, located at the top right of the privileges table, to view only the modified privileges.
Select Reset Privileges to reset all the changes.

Select Download CSV to download the list of all privileges, their description, and associated actions, into a file in a CSV format. You can choose from the below options:

Table 13. CSV Option Descriptions
Default Privileges	Downloads the original privileges ignoring all the current modifications.
Modified Privileges	Downloads only the privileges that were modified.
Current Privileges	Downloads all the current privileges.

Note: If you select Reset Privileges, and then select Download CSV, the Default Privileges and Current Privileges options, both display the same list.

Select Save to save the new permission. Select Save and Apply to save and publish the permission.

Note: The Save and Save and Apply buttons are activated only after you modify the permissions.

The new permission is displayed on the Service Permissions page. If you create another permission using the same scope and service, the privilege displays the last modified settings by default.

Authentication

The Authentication feature allows you to set the authentication mode for a Partner and an Enterprise user.

To set theauthentication mode:

Log in to the Orchestrator as a Partner and select Administration from the top menu.
From the left menu, select User Management, and then select the Authentication tab.
The following screen appears:

Figure 11. User Management Screen

Choose the authentication mode:

Local: This is the default option and does not require any additional configuration.
Single Sign-On: Single Sign-On (SSO) is a session- and user-authentication service that allows users to log in to multiple applications and websites with one set of credentials. Integrating an SSO service with Orchestrator enables Orchestrator to authenticate users from OpenID Connect (OIDC)-based Identity Providers (IdPs).

To enable Single Sign On (SSO) for Orchestrator, you must enter the Orchestrator application details into the Identity Provider (IdP). See the following topics in the Arista VeloCloud SASE Global Settings Guide for step-by-step instructions to configure the following supported IdPs:
- Azure AD
- Okta
- OneLogin
- PingIdentity

You can configure the following options when you select the Authentication Mode as Single Sign-on:

Figure 12. Single Sign-on Authentication Options

Table 14. Single Sign-on Authentication Option Descriptions
Option	Description
Identity Provider Template	From the drop-down menu, select your preferred Identity Provider (IdP) that you have configured for Single Sign On. This pre-populates fields specific to your IdP. Note: You can also manually configure your own IdPs by selecting Others from the drop-down menu.
OIDC well-known config URL	Enter the OpenID Connect (OIDC) configuration URL for your IdP. For example, the URL format for Okta will be: `https://{oauth-provider-url}/.well-known/openid-configuration`.
Issuer	This field is auto-populated based on your selected IdP.
Authorization Endpoint	This field is auto-populated based on your selected IdP.
Token Endpoint	This field is auto-populated based on your selected IdP.
JSON Web KeySet URI	This field is auto-populated based on your selected IdP.
User Information Endpoint	This field is auto-populated based on your selected IdP.
Client ID	Enter the client identifier provided by your IdP.
Client Secret	Enter the client secret code provided by your IdP, that is used by the client to exchange an authorization code for a token.
Scopes	This field is auto-populated based on your selected IdP.
Role Type	Choose one of the following two options: Use default role Use identity provider roles
Role Attribute	Enter the name of the attribute set in the IdP to return roles.
Partner Role Map	Map the IdP-provided roles to each of the Partner user roles.

Select Update to save the entered values. The SSO authentication setup is complete in the Orchestrator.

To create an SSH key, select the User Information icon located at the top right of the screen, and then select My Account > SSH Keys .

Note: You can create only one SSH Key per user.

As a Partner, you can also revoke an SSH Key.

Select the Refresh option to refresh the section to display the most current data.

For additional information, see Configure User Account Details.

Configure two-factor authentication and self-service password reset in the User Authentication section.

Table 15. User Authentication Option Descriptions
Option	Description
Two factor authentication	Slide the toggle button to activate this feature for all users. Select the Make Required check box to make this authentication mandatory for all users.
Self service password reset	Slide the toggle button to allow users to change their passwords using the link on the Login screen. Select the Require two factor authentication for password reset check box to make this authentication mandatory for all users. This makes the two factor authentication a required step before a user resets their password.

Note: This feature can be activated only for those users whose mobile phone numbers are associated with their user accounts.

Configure password policy for local users.

Starting from the release 6.4.0, Partner Superusers can set their own password policies directly from the Authentication screen. The Local User Password Policy section appears when the Authentication Mode is set to Local.

Table 16. Password Policy Option Descriptions
Option	Description
Password Strength
Password length	Specify the minimum and maximum length of the password. The minimum length value must be in the range from 1 to 8, whereas the maximum length value must be in the range from 16 to 32. The default values are 8 and 32 respectively.
Require uppercase	Slide the toggle button to activate this parameter. If activated, the password must contain at least one uppercase letter.
Require lowercase	Slide the toggle button to activate this parameter. If activated, the password must contain at least one lowercase letter.
Require numbers	Slide the toggle button to activate this parameter. If activated, the password must contain at least one number.
Require special characters	Slide the toggle button to activate this parameter. If activated, the password must contain at least one special character. Hover the mouse on the information icon to view the valid special characters.
Exclude common passwords	Slide the toggle button to activate this parameter. If activated, users are not allowed to use the most commonly used passwords.
Disallow username in password	Slide the toggle button to activate this parameter. If activated, username cannot be set as the password.
Enforce character validation	Select this check box to ensure that the password meets the following criteria for strength and security: Max repeat characters: Enter the maximum number of characters that can be repeated in the password. The accepted range is from 1 to 8. The default value is 1. Max sequences: Enter the maximum number of consecutive characters or sequences that can be allowed in the password. The accepted range is from 0 to 10. The default value is 1.
Password Expiration	Select the Force Password Expiration checkbox and set the duration after which users must change their passwords. The accepted range is from 1 to 365. The default value is 30.
Password History	Select the Enforce Password History checkbox and enter a value that specifies the number of previously created passwords that cannot be reused as the new password. This enhances the overall security. The accepted range is from 1 to 100. The default value is 5.

After making changes to policy settings, select Update to save updated policy settings or select Discard to leave the settings unchanged. Users who are already logged in are not affected by this update.

To enforce the new password policy, an Enterprise Superuser must perform the following steps:

Navigate to User Management > Users , and select a user.
Select Password > Enforce Policy , and then select Yes, Enforce.

This forces the selected user to change their password as per the new password policy. Current user sessions are not terminated.

The Password Modified column on the Users screen, displays the date and time when the user has modified the password.

Configure session limits. To view the Session Limitssection, an Operator user must navigate to the Orchestrator > System Properties , and set the value of the system property session.options.enableSessionTracking to True.

The following are the options available:

Table 17. Session Limits Option Descriptions
Option	Description
Concurrent logins	Allows you to set a limit on concurrent logins per user. By default, Unlimited is selected, indicating that unlimited concurrent logins are allowed for the user.
Session limits for each role	Allows you to set a limit on the number of concurrent sessions based on user role. By default, Unlimited is selected, indicating that unlimited sessions are allowed for the role. Note: The roles that are already created by the Partner in the Roles tab, are displayed in this section.

Select Update to save the selected values.

Configure Azure Active Directory for Single Sign On

To set up an OpenID Connect (OIDC)-based application in Microsoft Azure Active Directory (Azure AD) for Single Sign On (SSO), perform the following steps.

Ensure you have a valid Azure AD account.

Log in to your Microsoft Azure account as an Admin user. The Microsoft Azure home screen appears.
To create a new application, search and select the Azure Active Directory service.

Figure 15. Azure Active Directory Service
Go to App registration > New registration . The Register an application screen appears.

Figure 16. Register an Application
In the Name field, enter the name for your Orchestrator application.
In the Redirect URL field, enter the redirect URL that your Orchestrator application uses as the callback endpoint.
In the Orchestrator application, at the bottom of the Configure Authentication screen, you can find the redirect URL link. Ideally, the Orchestrator redirect URL has this format: https://<Orchestrator URL>/login/ssologin/openidCallback.
Select Register.
Your Orchestrator application registers and displays in the All applications and Owned applications tabs. Make sure to note down the Client ID/Application ID to use during the SSO configuration in Orchestrator.
Select Endpoints and copy the well-known OIDC configuration URL to be used during the SSO configuration in Orchestrator.
To create a client secret for your Orchestrator application, on the Owned applications tab, select on your Orchestrator application.
Go to Certificates & secrets > New client secret . The Add a client secret screen appears.

Figure 17. VCO Certificates and Secrets
Provide details such as description and expiry value for the secret and select Add to create the client secret for the application. Note down the new client secret value to be used during the SSO configuration in Orchestrator.
To configure permissions for your Orchestrator application, select on your Orchestrator application and go to API permissions > Add a permission . The Request API permissions screen appears.

Figure 18. API Permissions
Select Microsoft Graph and select Application permissions as the type of permission for your application.
Under Select permissions, from the Directory menu, select Directory.Read.All and from the User menu, select User.Read.All.
Select Add permissions.
To add and save roles in the manifest, select on your Orchestrator application and from the application Overview screen, select Manifest. A Web-based manifest editor opens and allows you to edit the manifest within the portal. Optionally, you can select Download to edit the manifest locally, and then use Upload to reapply it to your application.

Figure 19. vco- Manifest
In the manifest, search for the appRoles array and add one or more role objects as shown in the following example and select Save.
Note: The value property from appRoles must be added to the Identity Provider Role Name column of the Role Map table, located in the Authentication tab, in order to map the roles correctly.
Sample role objects
```
{ 
"allowedMemberTypes": [
 "User" 
], 
"description": "Standard Administrator who will have sufficient privilege to manage resource",
"displayName": "Standard Admin", 
"id": "18fcaa1a-853f-426d-9a25-ddd7ca7145c1", 
"isEnabled": true,
"lang": null, 
"origin": "Application",
"value": "standard" 
}, 
{ 
"allowedMemberTypes": [
"User" 
], 
"description": "Super Admin who will have the full privilege on Orchestrator", 
"displayName": "Super Admin", "id": "cd1d0438-56c8-4c22-adc5-2dcfbf6dee75", 
"isEnabled": true, 
"lang": null, 
"origin": "Application", 
"value": "superuser"
}
```
Note: Make sure to set id to a newly generated Global Unique Identifier (GUID) value. You can generate GUIDs online using web-based tools, https://www.guidgen.com/), or by running the following commands:
- Linux/OSX- uuidgen
- Windows- powershell [guid]::NewGuid()
Figure 20. vco-Manifest

Roles are manually set up in the Orchestrator, and must match the ones configured in the Microsoft Azure portal.

Figure 21. App Roles
To assign groups and users to your Orchestrator application, navigate to Azure Active Directory > Enterprise applications .
Search and select your Orchestrator application.
Select Users and groups and assign users and groups to the application.
Select Submit.

You have completed setting up an OIDC-based application in Azure AD for SSO.

Configure Okta for Single Sign On

To support OpenID Connect (OIDC)-based Single Sign On (SSO) from Okta, you must first set up an application in Okta. To set up an OIDC-based application in Okta for SSO, perform the steps on this procedure.

Ensure you have an Okta account to sign in.

Log in to your Okta account as an Admin user. The Okta home screen appears.

Note: If you are in the Developer Console view, then you must switch to the Classic UI view by selecting Classic UI from the Developer Console list.
To create a new application, select Applications > Add Application . The Add Application screen appears.

Figure 22. Add an Application to Okta
Select Create New App. Create a New Application Integration appears.
From the Platform menu, select Web.
Select OpenID Connect as the Sign on method and select Create. The Create OpenID Connect Integration screen appears.

Figure 23. Create an OpenID Connect Integration
In General Settings, in Application name, enter the name for your application.
In CONFIGURE OPENID CONNECT, in Login redirect URIs, enter the redirect URL that your Orchestrator application uses as the callback endpoint. In the Orchestrator application, in Configure Authentication, locatethe redirect URL link. Ideally, the Orchestrator redirect URL has this format: https://<Orchestrator URL>/login/ssologin/openidCallback.
Select Save. The newly created application page appears.
On the General tab, select Edit and select Refresh Token for Allowed grant types, and select Save.
Note down the Client Credentials, Client ID and Client Secret, to be used during the SSO configuration in Orchestrator.

Figure 24. General Settings
Select Sign On and in the OpenID Connect ID Token area, select Edit.
From the Groups claim type menu, select Expression. By default, Groups claim type is set to Filter.
In the Groups claim expression textbox, enter the claim name used in the token, and an Okta input expression statement that evaluates the token.
Select Save. The application is setup in IDP. You can assign user groups and users to your Orchestrator application.

Figure 25. Settings

Assigning Users and Groups

Go to Application > Applications and select on your Orchestrator application link.
On the Assignments tab, from the Assign menu, select Assign to Groups or Assign to People. The Assign Application Name to Groups or Assign Application Name to People dialog box appears.
Select Assign next to available user groups or users you want to assign the Orchestrator application and select Done. The users or user groups assigned to the Orchestrator application display.

Figure 26. Assigning Users and Groups

You have completed setting up an OIDC-based application in Okta for SSO.

Configure PingIdentity for Single Sign On

To set up an OpenID Connect (OIDC)-based application in PingIdentity for Single Sign On (SSO), perform the steps on this procedure.

Ensure you have an active PingOne account.

Note: Currently, Orchestrator supports PingOne as the Identity Partner (IDP). However, any PingIdentity product supporting OIDC can be configured.

Log in to your PingOne account as an Admin user. The PingOne home screen appears.
In the upper navigation bar, select Applications.

Figure 27. PingOne Applications
On the My Applications tab, select OIDC and then select Add Application. Add OIDC Application appears.

Figure 28. Adding the OIDC Application
Provide basic details such as name, short description, and category for the application and select Next.
Under AUTHORIZATION SETTINGS, select Authorization Code as the allowed grant types and select Next.
Also, note down the Discovery URL and Client Credentials, Client ID and Client Secret, to use during the SSO configuration in Orchestrator.
Under SSO FLOW AND AUTHENTICATION SETTINGS, provide valid values for Start SSO URL and Redirect URL. Select Next.
In the Orchestrator application, at the bottom of the Configure Authentication screen, you can find the redirect URL link. Ideally, the Orchestrator redirect URL has this format: https://<Orchestrator URL>/login/ssologin/openidCallback. The Start SSO URL has this format: https://<Orchestrator URL>/<domain name>/login/doEnterpriseSsoLogin.
Under DEFAULT USER PROFILE ATTRIBUTE CONTRACT, select Add Attribute to add additional user profile attributes
In the Attribute Name text box, enter group_membership and then select Required. Select Next.

Note: The group_membership attribute is required to retrieve roles from PingOne.
Under CONNECT SCOPES, select the scopes to request for your Orchestrator application during authentication and select Next.
Under Attribute Mapping, map your identity repository attributes to the claims available to your Orchestrator application.

Note: The minimum required mappings for the integration to work are email, given_name, family_name, phone_number, sub, and group_membership (mapped to memberOf).
Under Group Access, select all user groups that should access your Orchestrator application and select Done. The application adds to your account and available in the My Application screen.

You have completed setting up an OIDC-based application in PingOne for SSO.

Configure OneLogin for Single Sign On

To set up an OpenID Connect (OIDC)-based application in OneLogin for Single Sign On (SSO), perform the steps below:

Ensure you have an active OneLogin account.

Log in to your OneLogin account as an Admin user. The OneLogin home screen appears.
To create a new application, select Apps > Add Apps .
In the Find Applications text box, search for OpenId Connect or oidc and then select the OpenId Connect (OIDC) app. The Add OpenId Connect (OIDC) screen appears.

Figure 29. Adding an OpenID Connection
In the Display Name text box, enter the application name and select Save.
On the Configuration tab, enter the Login URL, auto-login URL for SSO, and the Redirect URI that Orchestrator uses as the callback endpoint, and select Save.
- Login URL- The login URL has this format: https://<Orchestrator URL>/<Domain>/ login/doEnterpriseSsoLogin. Where, <Domain> is the domain name of your Enterprise that you must have already set up to enable SSO authentication for the Orchestrator. You can get the Domain name from the Enterprise portal > Administration > System Settings > General Information page.
- Redirect URI's- The Orchestrator redirect URL has this format: https://<Orchestrator URL>/login/ssologin/openidCallback. In the Orchestrator application, at the bottom of the Authentication screen, you can find the redirect URL link.
Figure 30. OpenId Connect
On the Parameters tab, under OpenId Connect (OIDC), double-click Groups. Edit Field Groups appears.

Figure 31. Editing Field Groups
Configure User Roles with the value -No transform-(Single value output) to be sent in groups attribute and select Save.
On the SSO tab, from the Application Type menu, select Web.
From the Authentication Method menu, select POST as the Token Endpoint and select Save.

Also, note down the Client Credentials, Client ID and Client Secret, to be used during the SSO configuration in Orchestrator.

Figure 32. Authentication Method
On the Access tab, choose the roles allowed to login and select Save.

Figure 33. Access

Adding Roles and Users to Orchestrator

Select Users > Users and select a user.
On the Application tab, from the Roles menu, select a role to map to the user.
Select Save Users.

You have completed setting up an OIDC-based application in OneLogin for SSO.

VeloCloud SD-WAN 6.4 - Partner Guide