Technical White Paper Dell EMC OpenManage Enterprise Login with PingFederate This technical white paper provides information about configuring OpenManage Enterprise (OME) and PingFederate to enable logging into OME using PingFederate. Abstract OME 3.5 provides a method to log in using OpenID Connect (OIDC) providers—PingFederate. OIDC providers are the identity and user management software that allow users to securely access applications.
Dell EMC OpenManage Enterprise Login with PingFederate Revisions Date Description Nov 2020 Initial release Acknowledgements Author: Venkata Donepudi , Balaji Shanmugam and Manish Agrawal The information in this publication is provided “as is.” Dell Inc. makes no representations or warranties of any kind with respect to the information in this publication, and specifically disclaims implied warranties of merchantability or fitness for a particular purpose.
Dell EMC OpenManage Enterprise Login with PingFederate Table of contents Revisions.............................................................................................................................................................................2 Acknowledgements .............................................................................................................................................................2 Table of contents ............................................................
Dell EMC OpenManage Enterprise Login with PingFederate Executive summary In this white paper, you will learn how to configure PingFederate and OpenManage Enterprise (OME) or OpenManage Enterprise-Modular (OME-M) to enable you to log into OME using PingFederate. Integrating OME with PingFederate allows PingFederate users (Users associated to data store in PingFederate) to log into OME. After OME is integrated with PingFederate, user authentication in OME will be delegated to PingFederate.
Dell EMC OpenManage Enterprise Login with PingFederate 1 System Requirements & Prerequisites The following are the system requirements: • • PingFederate version 10.1 OpenManage Enterprise version 3.
Dell EMC OpenManage Enterprise Login with PingFederate 2 OME and PingFederate Configurations This section describes the configuration required to enable user authentication in PingFederate. 2.1 Configure Scope and Policy in PingFederate To enable OpenManage Enterprise OpenID Connect login using PingFederate, you must add and map a scope dxcua to the Client ID and define the user privileges.
Dell EMC OpenManage Enterprise Login with PingFederate Figure 2 - PingFederate: OpenID Connect Policy Management -> Manage Policy 3. Navigate to Attribute Scopes tab and add the dxcua scope attribute as shown in Figure 3. Figure 3 – PingFederate: OpenID Connect Policy Management -> Attribute Scopes 4. Navigate to Contract Fulfilment and: a. Select Text as a source for the dxcua scope. b. Add [{"Role": "CA,AD"}] for enabling administrator privileges in OME as shown in Figure 4.
Dell EMC OpenManage Enterprise Login with PingFederate Figure 4 – PingFederate: OpenID Connect Policy Management -> Contract Fulfillment The configuration in step-4 allows OAuth clients using the policy selected in step-4 to login users into OME with administrator privileges. OME supports other roles along with the administrator role. The following are the dxcua roles available in OME. See the OME User’s Guide for more information about each user role.
Dell EMC OpenManage Enterprise Login with PingFederate The following are the dxcua roles available in OME-M. See the OME-M User’s Guide for more information about each user role. 2.2 Role Abbreviation Chassis Administrator CA Computer Manager CM Fabric Manager FM Storage Manager SM Viewer VE Configure Time in PingFederate and OME It is required that both OME and PingFederate should reflect the same time to avoid issues in validating Authorization Code, Access Token, and User ID token.
Dell EMC OpenManage Enterprise Login with PingFederate 2.3 Enable Dynamic Client registration in Ping Federate Dynamic Client Registration allows OME to register clients on PingFederate via APIs either by using username and password or Initial Access Token. By default, Dynamic Client registration is disabled on PingFederate and is enabled only when external data sources such as an external database or AD/LDAP is configured in PingFederate. To enable Dynamic Client Registration, do the following: 1. 2. 3.
Dell EMC OpenManage Enterprise Login with PingFederate 3 OpenID Connect Provider Registration in OME When you register an OpenID Connect provider in OME using username and password or Initial Access Token, it generates an OAuth client in PingFederate. 3.1 Register an OpenID Connect Provider with Username and Password in OME To register OpenID, Connect Provider with username and password, do the following: 1. Log into OME with administrative privileges. 2.
Dell EMC OpenManage Enterprise Login with PingFederate Figure 8 - OME: Add New OpenID Connect Provider using Initial Access Token To get the Initial Access Token, see the guidelines mentioned in the PingFederate help guide (https://docs.pingidentity.com/bundle/pingfederate-101/page/qem1584122852896.html) For example: Create an OAuth Client in PingFederate and use that OAuth client to provide the Access Token.
Dell EMC OpenManage Enterprise Login with PingFederate On successful registration of OpenID Connect provider in OME, the OIDC is displayed as shown in Figure 9. Figure 9 - OME: Successful Registration Notes: • • • • • • Discovery URI specified in OIDC configuration wizard should have valid endpoint of the provider listed. Test connection in configuration wizard is anonymous, the credentials or Initial access token specified is used for registration.
Dell EMC OpenManage Enterprise Login with PingFederate 4 Configure OAuth Client for dxcua scope and signing algorithms in PingFederate After OpenID Connect provider is registered in OME successfully, a new OAuth client is created in PingFederate. Dynamically registered OAuth client shall be configured to use the dxcua scope and OME compatible signing algorithm for ID Token. To configure dxcua scope and signing algorithm, do the following: 1. Log into PingFederate with administrative privileges. 2.
Dell EMC OpenManage Enterprise Login with PingFederate 5 Login from OME using PingFederate Users OME displays successfully registered OpenID Connect Providers on the login page. Users can choose to log into OME with username and password credentials of users local to OME or with any one of the registered OpenID Connect Providers. To log into OME with PingFederate Users, do the following: 1. Navigate to the OME login page. 2.
Dell EMC OpenManage Enterprise Login with PingFederate Figure 12 – PingFederate: Credentials Screen After validating the credentials successfully, if user consent setting is enabled in PingFederate then user will be prompted to provide access permissions as shown in Figure 13. Figure 13 - PingFederate: Consent Screen After providing the necessary permissions, the browser is redirected to OME and the user will be logged into OME based on the response from PingFederate.
Dell EMC OpenManage Enterprise Login with PingFederate After successful login to OME, information about the user is displayed in the upper right corner as shown in Figure 14.
Dell EMC OpenManage Enterprise Login with PingFederate 6 General Troubleshooting of Issues 1. If you see the error ‘Unable to log in by using the Graphical User Interface (GUI) because Insufficient privileges’ while logging into OME then ensure that dxcua claim is added in Ping Federate Server. 2.
Dell EMC OpenManage Enterprise Login with PingFederate A Related resources Dell EMC OpenManage Enterprise documents Dell EMC OpenManage Enterprise Login with PingFederate | 454
