Single Sign-On for the Juniper Mist Portal

• You can use any IdP that supports SAML 2.0.

• Your SAML configuration must include these attributes, with the capitalization and spacing as shown.

  • FirstName (recommended)

  • LastName (recommended)

  • NameID (required)—NameID is the unique identifier for the user account. You select the ID format (e-mail address or unspecified) when you add the IdP on the Organization Settings page. For more information, see Add Identity Providers.

  • Role (required if you configure default_role via API)—Role is used to derive the permissions that the user should be granted. The role that you assign to the IdP account must be configured as a custom role in Juniper Mist. For more information, see Create Custom Roles for Single Sign-On Access.

    Note:

    If a user account is associated with multiple roles, be sure that all of them are configured as custom roles in Juniper Mist. If a role is missing, access will be denied.

If you use multiple IdPs for your user accounts, you can add all the IdPs in the organization settings.

Keep in mind that an SSO user account must be associated with only one SSO. This is typically most relevant when you use different IdPs for test and production purposes. In this situation, ensure that the user's two IdP accounts are set up with different usernames (or email addresses, if that is the format that you use for NameID).

Set up at least one local user account with the Super User administrator role. This way, if there is an SSO issue, such as an expired certificate, at least one administrator will have access to the Juniper Mist portal.

Other users do not need local user accounts. With SSO, you set up the user accounts in your IdP portal, and the IdP performs authentication when the user logs in to the Juniper Mist portal. The users' assigned roles determine the features that they can access in the portal.