Onboarding Procedures
- Onboarding Authentication Providers
- Onboarding Devices: Token-Based Authentication
- Subscribing to CloudVision as-a-Service updates
Onboarding Authentication Providers
Once the CloudVision as-a-Service instance is set up, use the following procedure to add a preferred authentication provider.
To add a preferred authentication provider:
Onboarding Devices: Token-Based Authentication
To onboard the devices using token-based authentication.
Subscribing to CloudVision as-a-Service updates
You can monitor CloudVision Service live status through https://status.arista.io . You can also subscribe to CloudVision Service notification via email/text using Subscribe to CloudVision.
Bearer Token Login
Use bearer tokens to provide custom applications or third-party applications login access to CloudVision. This will allow the application to make configuration changes to EOS devices. Bearer token login can be used with identity providers that issue bearer tokens and have an introspection endpoint.
Login via bearer token involves communication between the application, the identity provider, and CloudVision.
To allow an application to log in via bearer token, ensure that both the Roles Mapping for Providers and the Allow Bearer Token Login toggles are enabled under Cluster Management in General Settings.
- Make sure that the identity provider has been properly set up in Providers.
- Request a bearer token from the identity provider for the application.
In generating the bearer token, you willneed to make sure that the user exists in CloudVision and that the token has the required fields for the relevant role, username, and optionally email address. Depending on the application, this may require you to log in to the identity provider, create a bearer token, and then program the token in the application.
For more information on creating a bearer token, or access token, with Okta, see Get an Access Token and Make a Request: https://developer.okta.com/docs/guides/implement-oauth-for-okta/main/#get-an-access-token-and-make-a-request.
For documentation on getting a bearer token, or access token, with PingIdentity, see Getting an Access Token: https://docs.pingidentity.com/r/en-us/pingone/p1_t_getaccesstoken.
Alternatively, you may be able to log in to the application and request a bearer token from the identity provider via script that is then returned directly to the application.
To complete this process in Ansible, see Token-Based Authentication: https://docs.ansible.com/ansible-tower/latest/html/administration/oauth2_token_auth.html
- Once the application has the bearer token, you willprovide it with the login URL
as a bearer header in the request:
https://<cv-domain>/api/v1/oauth/bearer?org=<org>&provider=<provider>
The URL includes the following components, which must match the details in CloudVision for the bearer token to be verified and the access token returned to the application:
-
<CV-domain>: Enter the domain of your CloudVision cluster
-
<Org>: Enter Default
-
<Provider>: Enter the name of the provider in CloudVision that issued the bearer token
The application then makes an API call to CloudVision using the access token to complete the login process.
-