User authentication can be done either locally with Launchpad or by a third-party identity provider.
Launchpad integrates with third-party or federated identity providers that support the SAML 2.0 standard. You can use a SAML 2.0 compliant federated identity provider for Single Sign On to Launchpad Services.
Federated authentication is deactivated, by default, on Launchpad. To activate federated authentication, contact Technical Support at support-wifi@arista.com. The Federated Login tab is visible in Launchpad to a user with Admin profile only if federated authentication is activated.
A Launchpad user is presented with the Use Third Party Authentication link on the Launchpad login page for federated authentication. The link redirects to a page where users must enter their login ID or e-mail ID for redirection to own identity provider's page to enter federated authentication credentials, that is, the official e-mail ID and password. The user is then authenticated by the federated identity provider.
On successful authentication through a federated or third-party identity provider, the user details such as the e-mail ID, first name, last name of the user, profile (if provided by identity provider, otherwise the default profile assigned by Launchpad) are stored in Launchpad. The password of a federated user is not stored in Launchpad.
To enable integration with a third party identity provider, you must provide the following information.
Allowed e-mail domains from which the user logs in to the third party identity provider. These must be specified in the activation request sent to Technical Support.
Login URL to be displayed to the user for federated login.
Entity ID of the identity provider
Secure hash algorithm and certificate.
The values for the above-mentioned fields can be retrieved collectively as an XML file from the third party identity provider and imported into Launchpad. Alternatively, this information can be entered manually on the Federated Login tab. Apart from the above-mentioned details the federated identity provider might provide the time zone and the profile for the user.
IMPORTANT: If the profile name provided by the federated identity provider does not match an existing profile name present in Launchpad, the default profile specified in the Federated Login tab (in Launchpad) is assigned to the federated user.
You must specify the default time zone and default profile to be assigned to the user if the federated identity provider does not provide this information to Launchpad.
To integrate with a federated identity provider, perform the following steps.
Log in to the Launchpad using your credentials.
Click Admin and then click the Federated Login tab.
Select the Enable check box.
Specify the following information manually or upload an XML file having this information. Select upload to choose and upload the XML file.
Field |
Description |
Entity ID |
Service URL of the third party identity provider |
Login URL |
Federated login URL to be displayed when a user clicks the Use Third Party Authentication link on the Launchpad login page. |
Secure hash algorithm |
Secure hash algorithm for secure communication between Launchpad and the federated identity provider. You must also choose the certificate file to upload. |
Specify the default time zone.
Specify the default profile.
The following details for Launchpad Services under Service Provider must be provided in the federated identity provider configuration to facilitate integration with Launchpad.
Field |
Description |
Entity ID |
Service URL of the Launchpad Authentication service. |
Logout URL |
URL to be displayed when a user with a federated login logs out of Launchpad Services. |
Secure hash algorithm |
Secure hash algorithm for secure communication between Launchpad and the federated identity provider. You must also choose the certificate file to upload. Click the Download Service Provider Certificate link to download the X.509 certificate from Launchpad. |
Alternatively, you can download all the metadata mentioned in the table above and upload it to the federated identity provider. Click Download Service Provider Metadata link to download the metadata in XML format.
Click Save.
Note: If you choose to upload information of the identity provider by using an XML metadata file, ensure that the Single Sign-On Services field in the metadata file has HTTP Redirect binding.
After configuring the federated login settings on your Launchpad account, and on your identity provider, Launchpad redirects a user to your identity provider if the login ID of the user has a domain name that matches a value in the list of allowed e-mail domains.
On successful authentication, the identity provider must provide the information of the logged-in user in SAML format. The following attributes should be present in the SAML response received from the identity provider.
Field |
Description |
NameID (mandatory field) |
The Launchpad login ID of the user. It must be in an e-mail ID format. When the user logs in successfully, a user account is created in Launchpad, if it is not already present. |
givenname (mandatory field) |
First name of the user |
surname |
Last name of the user. |
emailaddress |
Primary e-mail address of the user. If this is not present in the SAML response, the login ID is considered as the e-mail ID. |
timezone |
Time zone of the user. If this is not present in the SAML response or is invalid, the default time zone set in the federated login configuration in Launchpad is used. |
profilename |
Launchpad profile name for the user. If this is not present in the SAML response or is invalid, the default profile set in the federated login configuration in Launchpad is used. This profile name is ignored after the profile for the user is explicitly changed from Launchpad. This behavior can be reset from Launchpad. |
If you disable integration with third party identity provider, it impacts existing ADFS users.
All ADFS users are converted to local (Launchpad) users.
These users would not be able to login as the password for these users has not been set through Launchpad. This can be set by the former federated users by using the Forgot Password link on the Launchpad login page. Alternatively, this can be done by resetting their passwords from Launchpad.