Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Add Identity Providers for Juniper Mist Access Assurance

Juniper Mist Access Assurance uses identity providers (IdPs) to:

  • Get additional identity context such as user group memberships and account state of clients.

    This information is available in certificate-based authentication methods such as Extensible Authentication Protocol–Transport Layer Security (EAP-TLS) and Extensible Authentication Protocol–Tunneled TLS (EAP-TTLS).

  • Authenticate clients by validating credentials. EAP-TTLS supports credential-based authentication.

Juniper Mist Access Assurance uses the following protocols to integrate into any IdP to look up users and get device state information:

  • Secure Lightweight Directory Access Protocol (LDAP)
  • OAuth 2.0

Configuring IdPs is optional for EAP-TLS certificate-based authentication and mandatory for credential-based authentication (EAP-TTLS).

To add IdPs:

Prerequisites:
  1. On the Juniper Mist portal, click Organization and select Identity Providers under Access.
    The Identity Providers page opens displaying a list of configured identity providers (if any).
  2. Click Add IDP to add a new identity provider.
  3. On the New Identity Provider page, enter the following information:
    1. Name—Enter an IdP name.
    2. IDP Type—Select an IdP type:
      • LDAPS
      • OAuth

      For LDAPS type of authentication, enter the values as provided in Table 1.

      Table 1: Settings for Identity Provider Type LDAPS

      Parameters

      Details

      LDAP Type Select one of the following options from the drop-down menu:
      • Azure
      • Okta
      • Custom

      Server Hosts

      Enter the name or the IP address of the LDAP server you’re going to use for authentication.

      Domain Names

      Enter the fully qualified domain name (FQDN) of the LDAP server.

      Default IDP

      Set the selected identity provider as default IdP. The system performs lookup in this IdP if the entered user domain name is unknown or not found.

      Bind DN

      Specify the user whom you've allowed to search the base domain name. Example: cn=admin, dc=abc, dc=com.

      Bind Password

      Enter the password of the user who is mentioned in the Bind DN.

      Base DN

      Enter a whole domain or a specific organization unit (container) in Search base to specify where users and groups are found in the LDAP tree, for example: OU=NetworkAdmins,DC=your,DC=domain,DC=com.

      LDAPS Certificates

      Add the Certificate Authority-generated certificate and the client certificate.

      • Group Filter
      • Member Filter
      • User Filter

      Specify the LDAP filter that will identify the type of group, member, or user. This option is available only for LDAP Type Custom.

      For OAuth type of authentication, enter the values as provided in Table 2. Some of the fields you enter here requires values you'll receive when you configure Azure or Okta Application. See Integrate Azure AD as an Identity Provider or Integrate Okta as an Identity Provider.

      Table 2: Settings for Identity Provider Type OAuth

      Parameters

      Description

      OAuth Type

      Select one of the following options from the drop-down menu:
      • Azure
      • Okta

      OAuth Tenant ID

      Enter OAuth tenant ID. Use the ID you received during Azure or Okta application configuration.

      Domain Names

      Enter a fully qualified domain name.

      Default IDP

      Set the selected identity provider as default if user domain name is not specified.

      OAuth Client Credential (CC) Client Id

      The application ID of your client application. Use the ID you received during Azure or Okta application configuration.

      OAuth Client Credential (CC) Client Private Key (For Okta) Enter the private key generated during Okta application configuration.

      OAuth Resource Owner Password Credential (ROPC) Client Id

      (For Okta) Enter the client secret ID. Use the secret ID you received during Okta application configuration.

      OAuth Resource Owner Password Credential (ROPC) Client Secret

      (For Okta) Provide client secret value. Use the secret value you received during Okta application configuration.

      OAuth Client Credential (CC) Client Id (For Azure) Enter the client ID generated during Azure application configuration.
      OAuth Client Credential (CC) Client Secret (For Azure) Enter the client secret value generated during Azure application configuration.
      OAuth Resource Owner Password Credential (ROPC) Client Id (For Azure) same as OAuth Client Credential (CC) Client Id.
  4. Click Create to save the changes.