AAA Providers

Authentication, authorization, and accounting (AAA) providers create and log in to CloudVision through any provider. The OAuth and SAMLproviders are pre-configured buts require additional information to create the provider.

The following sections describe procedures to configure AAA providers:

  1. Requirements
  2. Setting up OAuth and SAML Providers in CloudVision
  3. Setting up CloudVision with Identity Provider
  4. Logging in Using SAML IDP
  5. Logging in with a Provider
  6. Adding Launchpad as a Provider

Requirements

Pre-requisites:

  • The device must have internet access.
  • To create the OAuth or SAML provider, you must be registered with and have access to the Service Provider (SP) credentials.

Perform the following steps to create and edit SAML Providers:

  1. Click on the gear icon.
    Figure 1. General Settings Screen
  2. On the General Settings page, under Features, enable SAML Providers (Beta) using the toggle button.

Setting up OAuth and SAML Providers in CloudVision

You can setup an OAuth or SAML provider in CloudVision through the Providers screen. To open the Providers screen, click on the gear icon and navigate to Access Control > Providers. This screen lists current registered OAuth and SAML providers in corresponding tables and provides the following functionalities:
Note: The Shared Provider column lists the providers where Arista has a special account for CloudVision-as-a-Service (CVaaS).

Adding OAuth Providers

Pre-requisites:

  • Shared providers does not require the additional information like endpoint, client ID, and client secret. This functionality is not supported on-prem or on the custom providers.
  • The link at the bottom of the Add OAuth Providers window explains how the selected provider uses OAuth and where you can find the information required by the form.
  • You can use the Custom OAuth option if your provider is not listed under the Provider drop-down menu.
Perform the following steps to add an OAuth provider:
  1. Click the + Add OAuth Provider tab.
    The system opens the Add OAuth Provider screen.
    Figure 2. Add OAuth Provider Screen
  2. Select the required OAuth provider from the Provider drop-down menu.
    Figure 3. Add OAuth Provider Screen to Configure a Provider
  3. In the Endpoint field, type the provider URL where the Client ID and Client Secret are used to authorize the client.
  4. In the Client ID field, type the unique public identifier the provider assigns to the client at the time of registration.
  5. In the Client Secret field, type the unique private identifier the provider assigns to the client at the time of registration.
  6. Click Add.
    The system registers the new OAuth provider and lists it in the OAuth providers table.

Adding SAML Providers

Pre-requisites:

  • The link at the bottom of the Add SAML Providers window explains how the selected provider uses SAML and where you can find the information required by the form. The only provider that does not have this information is Launchpad.
  • You can use the Custom SAML option if your provider is not listed under the Provider drop-down menu.
Perform the following steps to add an SAML provider:
  1. Click the + Add SAML Provider tab.
    The system opens the Add SAML Provider window.
    Figure 4. Add SAML Provider Screen
  2. Select the required SAML provider from the Provider drop-down menu.
    Figure 5. Add SAML Provider Screen to Configure a Provider
  3. In the Identity Provider Issuer field, type the Issuer or Entity ID.
    Note: An Issuer or Entity ID is a URL that uniquely identifies a SAML identity provider.
  4. In the Identity Provider Metadata URL field, type the URL to fetch identity provider metadata.
  5. In the Email Attribute Name field, type the attribute name for the email ID in SAML.
  6. In the Authorization Request Binding field, select the protocol binding used for the SAML authentication request to the identity provider.
  7. Click Add.
    The system registers the new SAML provider and lists it in the SAML providers table.

Removing OAuth Providers

Perform the following steps to remove an OAuth provider:
  1. On the Providers screen, under OAuth Providers, select the redundant provider from the OAuth provider table.
    Figure 6. Removing OAuth Provider(s)
  2. Click the Remove OAuth Provider button.
    The system opens the Confirm screen.
    Figure 7. Remove OAuth Provider(s) Confirm Screen
  3. Click Remove to confirm the removal.
    The system permanently removes the OAuth provider.

Removing SAML Providers

Perform the following steps to remove an SAML provider:
  1. On the Providers screen, under SAML Providers, select the redundant provider from the SAML provider table.
    Figure 8. Removing SAML Provider(s)
  2. Click the Remove SAML Provider button.
    The system opens the Confirm screen.
    Figure 9. Remove SAML Provider(s) Confirm Screen
  3. Click Remove to confirm the removal.
    The system permanently removes the SAML provider.

Logging in Using SAML IDP

Starting with the 2023.2.0 release, you can login to CloudVision through an Identity Provider (IDP) instead of directly through the CloudVision application. When you log in to the IDP and your identity is verified, then, that verification process is used to access the CloudVision portal.

Note: This feature is available only for SAML providers and is disabled by default. When enabled, all CloudVision users of your organization can login to CloudVision through their SAML IDP.

Enabling SAML IDP Login

The SAML IDP initiaited login can be enabled in CloudVision portal by toggling (enabling) the Allow Identity Provider Initiated Login for SAML on General Settings > Cluster Management page as in the image below:
Figure 10. General Settings - SAML IDP Login Enable


Setting SAML IDP Login

For SAML IDP initiated login to function with CloudVision, you should define a default relay state value while setting up the SAML provider in your IDP. It is expected that your IDP should have an optional field to configure the default relay state.

For example, while configuring IDP, enter the details in the Relay State (Optional) field in the following format:

<ProviderID>:<OrgName>:<NextURL>, where:

  • ProviderID: is the provider identifier that has been set up on CloudVision. Append “saml” to the name of the provider as below:
    • Okta: Use oktasaml as the ProviderID
    • OneLogin: Use oneloginsaml as the ProviderID
    • Microsoft: Use microsoftsaml as the ProviderID
    • Launchpad: Use launchpadsaml as the ProviderID
    • Custom SAML Provider: Use the ProviderID entered while setting up CloudVision
  • OrgName: For On-prem users, the organization name is always the default value. This is the value that you have entered as your organization name. You can overwrite this value with a custom value later.For CVaaS users, this is the name of the organization entered at login time.
  • NextURL: This is the URL that gets redirected to after logging in. This can be the Entity ID on the IDP followed by /settings/aaa-providers. This value must be base 64 RawURL encoded.

For example, if the URL is https://www.cvp.arista.io the base 64 RawURL encoding is, aHR0cHM6Ly93d3cuY3ZwLmFyaXN0YS5pby9zZXR0aW5ncy9hYWEtcHJvdmlkZXJz and this encoded value gets included in the Relay State field. You can leave the URL empty, in which case you are redirected to a default URL, which is the Entity ID followed by /cv.

For Example, if a user from the organization, Foo is setting up a Microsoft Provider and wants to be redirected to https://www.cloudvision.domain/settings/aaa-providers, then the Relay State should be, microsoftsaml:Foo:aHR0cHM6Ly93d3cuY3ZwLmFyaXN0YS5pby9zZXR0aW5ncy9hYWEtcHJvdmlkZXJz. You can also enter the Relay State without the NextURL details as microsoftsaml:Foo:, where you will be redirected to https://<your FQDN>/cv, where <your FQDN> is the DNS name you configured for the cluster.

Logging in with a Provider

You can use your registered providers on the CloudVision login screen to log in to cloud and on-premise CloudVision deployments. Click on the provider that has been created to log in through that provider.

Note: The login screen of the CloudVision with Cloud Deployments displays all supported providers regardless of which ones were created. Whereas, the login screen of the CloudVision with Cloud Deployments only displays providers that have been created.

Adding Launchpad as a Provider

You can add a launchpad using one of the following methods as per your requirement:

Adding a Launchpad for CVaaS Deployments

This section applies to non-CV-CUE customers who want to use launchpad as an identity provider.

To add launchpad as a shared provider for CVaas deployments, request the list of users to be created in launchpad by emailing to wifi-cloudops-tickets@

Note:
  • For cv-dev and cv-play, use the following information to configure Launchpad in Cloudvision:

    Provider: launchpad Identity Provider Issuer: https://mojoonedemo.airtightnw.com/idp/shibboleth Identity Provider Metadata URL: https://mojoonedemo.airtightnw.com/idp/shibboleth Email Attribute Name: User.email Authorization Request Binding: HTTP-Redirect SAML protocol binding

  • For cv-staging and production, use the following information to configure Launchpad in Cloudvision:

    Provider: launchpad Identity Provider Issuer: https://login.mojonetworks.com/idp/shibboleth Identity Provider Metadata URL: https://login.wifi.arista.com/casui/idp-metadata.xml Email Attribute Name: User.email Authorization Request Binding: HTTP-Redirect SAML protocol binding

Adding a Launchpad for On-Premise Deployments

Perform the following steps to add a launchpad for on-premise deployments:

  1. Log into the tenant/cluster and get the SAML metadata from the desired cluster by going to the CLUSTER_URL/api/v1/saml_sp_metadata URL.
    Note:
  2. Email the metadata obtained in Step 1 to wifi-cloudops-tickets@ requesting to create the first user account in Launchpad and to get Launchpad configured with the SAML metadata to trust this CloudVision cluster.
    Note: Other accounts for this customer/org can be created by the first account created for this org by the cloudops team.
  3. Get the IdentityProvider Issuer URL, Identity Provider Metadata URL and the Email attribute name from Launchpad.

Adding a Launchpad for CVaaS and On-Premise Deployments

Perform the following steps to add a launchpad for CVaaS and on-premise deployments:

  1. Log in to the CVP.
  2. Click on the gear icon.
  3. On the General Settings screen, under Features, enable SAML Providers (Beta).
  4. Navigate to Access Control > Providers and click the + Add SAML Provider button.
  5. Select Launchpad (SAML) from the Provider drop-down menu.
    Figure 11. Add SAML Provider Screen to Configure Launchpad
  6. In the Identity Provider Issuer field, type the Issuer or Entity ID.
    Note: An Issuer or Entity ID is a URL that uniquely identifies a SAML identity provider.
  7. In the Identity Provider Metadata URL field, type the URL to fetch identity provider metadata.
  8. In the Email Attribute Name field, type the attribute name for the email ID in SAML.
  9. In the Authorization Request Binding field, select the protocol binding used for the SAML authentication request to the identity provider.
  10. Click Add.
  11. Under Access Control in the left pane, click Users.
    The system opens the Users screen.
    Figure 12. Users Screen
  12. On the Users screen, click + Add User.
    The system opens the Add User screen.
    Figure 13. Add User Screen
  13. Provide the required information in corresponding fields.
    Note:
    • CloudVision usernames and EOS switch usernames must match for CloudVision to manage configuration and images on the switches.
    • Type the email address which you used to sign up with Launchpad in the Email Address field.
  14. Click Add.
  15. Logout from the CVP.
  16. Login to your account via launchpad.