This article describes how to integrate Cloud Access Service (CAS) with HPE Aruba Clearpass using Relying Party.

Configure CAS

Perform these steps to configure CAS using Relying Party.
Procedure

1. Sign in to RSA Cloud Administration Console.
2. Navigate to Authentication Clients > Relying Parties.

3. Click Add a Relying Party.
4. From the Relying Party Catalog, select Add for Service Provider SAML.

5. On the Basic Information page, enter the name for the application in the Name field. 
6. Click Next Step.

7. In the Authentication section, choose RSA manages all authentication.
8. From 2.0 Access Policy for Authentication dropdown list, select a policy that was previously configured, then select Next Step.

9. In Data Input Method, you'll have the option to import metadata.
10. Click Choose File and select the SP metadata.xml file provided by the HPE Aruba ClearPass configuration.

11. Navigate to the Service Provider section. The following fields will be auto populated from the metadata, but ensure they are in the following format:
    1. Assertion Consumer Service (ACS) URL: https://<aruba-clearpass-hostname>/networkservices/saml2/sp/acs
    2. Service Provider Entity ID: https://<aruba-clearpass-hostname>/networkservices/saml2/sp

12. In the Message Protection section, choose IdP signs entire SAML response.
13. Click Download Certificate to download the certificate, which will be required for the HPE Aruba ClearPass configuration.

14. Go to the User Identity section and select the following:
    1. Identifier Type  > Email Address
    2. Property > mail

15. In the Identity Provider section, make note of the Entity ID
16. You can enter any identifier in the Discriminator text field, it will be appended to the Entity ID URL to ensure the Entity ID is unique to the Service Provider.

Configure  HPE Aruba Clearpass

Perform these steps to configure  HPE Aruba Clearpass
Procedure

1. Log in to ClearPass Policy Manager as an administrator.
2. Go to Administration > Certificates > Trust List.

3. Click Add. 

4. In the Certificate File field, select the downloaded certificate during the RSA Cloud Access Service configuration. 
5. Set the Usage field to SAML from the dropdown list, then click Add Certificate.

6. Navigate to Configuration > Identity > Single Sign-On (SSO).

7. Enter the Identity Provider URL copied from RSA Cloud Access Service configuration in the Identity Provider (IdP) URL field.
8. Select the necessary applications for your use cases from the Enable SSO for options. Only GuestOperators is currently enabled.

Note: Ensure that SSO is functioning correctly for Guest or Insight before enabling it for PolicyManager.

9. Click Download to retrieve the ClearPass Service Provider (SP) metadata.

10. From the Select Certificate dropdown list, choose the RSA Cloud Access Service certificate that was previously uploaded to the Certificate Trust List.

11. Click Update to save the configuration.
12. Navigate to Configuration > Service Templates & Wizards > Select ClearPass Admin SSO Login (SAML SP Service). 

13. Enter a Name Prefix. For example, rsaready or select a previously configured prefix from the dropdown list, then click Next.

14. Select the application(s) for which SAML-based Single Sign-On (SSO) should be enabled.
15.  Ensure your selections match the options that were previously enabled for SSO during the SAML SP configuration.
16. Click Add Service.

The Configuration is complete.