Single Sign-On for the Juniper Mist Portal
Understand important concepts to implement single sign-on (SSO) for the Juniper Mist™ portal.
You can set up your organization to allow users to access the Juniper Mist portal by using single sign-on (SSO). You can use any identity provider (IdP) that supports Security Assertion Markup Language (SAML) 2.0.
Your IdP can be any provider that supports SAML 2.0 integrations. Examples include Azure, ADFS, Google, Okta, and more.
Requirements
-
You can use any IdP that supports SAML 2.0.
-
Your SAML configuration must include these attributes, with the capitalization and spacing as shown.
-
FirstName (recommended)
-
LastName (recommended)
-
NameID (required)—NameID is the unique identifier for the user account. You select the ID format (e-mail address or unspecified) when you add the IdP on the Organization Settings page. For more information, see Add Identity Providers.
-
Role (required if you configure default_role via API)—Role is used to derive the permissions that the user should be granted. The role that you assign to the IdP account must be configured as a custom role in Juniper Mist. For more information, see Create Custom Roles for Single Sign-On Access.
Note:If a user account is associated with multiple roles, be sure that all of them are configured as custom roles in Juniper Mist. If a role is missing, access will be denied.
-
Multiple Identity Providers
If you use multiple IdPs for your user accounts, you can add all the IdPs in the organization settings.
Keep in mind that an SSO user account must be associated with only one SSO. This is typically most relevant when you use different IdPs for test and production purposes. In this situation, ensure that the user's two IdP accounts are set up with different usernames (or email addresses, if that is the format that you use for NameID).
Local User Accounts
Set up at least one local user account with the Super User administrator role. This way, if there is an SSO issue, such as an expired certificate, at least one administrator will have access to the Juniper Mist portal.
Other users do not need local user accounts. With SSO, you set up the user accounts in your IdP portal, and the IdP performs authentication when the user logs in to the Juniper Mist portal. The users' assigned roles determine the features that they can access in the portal.