SAML or OIDC or any AAA authentication for cnMaestro Cloud

Enable SAML or OIDC or any AAA authentication in cnMaestro Cloud for integrations with Okta or similar IDP.

Hi @Anthony_Zammit, welcome to the Cambium community.

We are testing SAML authentication for cnMaestro Cloud at the moment (actually for all properties that use the Cambium Single-Sign-On). If you’d like to be part of the test, please send me a private message and we’ll set it up.

Great that you guys are working on this Simon.
Makes it a lot easier to deal with onboard and offboard tech personnel and not deal with forgotten or fragmented user credentials on cloud services.

1 Like

Sorry to be rude.
Had a client ask if there’s been any progress on this ?
Their auditing department will effectively prohibit them from using any cloud service with non federated logins in future.

Yes, we’ve got a few customers using SAML to log in to the Cambium SSO system now. There’s no self-service interface for setting it up at the moment - it needs to be configured by Cambium staff.

SAML is configured for the customer’s email domain. Once it is enabled, all attempts to log in with an email address at that domain will be routed via SAML instead.

Note that SAML is currently used for authentication only, not authorization. You would still manage user permissions from within your cnMaestro account. We may enhance this in the future so that roles/groups in the SAML information can be used for access control within cnMaestro, but we don’t currently have a design for that.

If your client would like to proceed with this, please let me know.

Going to check with the client for you.
Should be doable but would have to check their setup.

Hello Simon,

Is it still the case that if you have a cnMaestro X and you want to use SSO that the Cambium staff has to configure this or can we already do this ourselves? If we can are there any whitepapers for this?

Kind regards,
Pedro

Hi Pedro, and welcome to the Cambium community.

Yes, I’m afraid it still needs to be configured by us. Feel free to message me with some details about your Identity Provider and I will get the process started.

Hi Simon,
Is it possible to integrate local cnMaestro with sailPoint IdentityIQ, BeyondTrust PasswordSafe & CA Layer 7 Advanced Authentication SiteMinder. Single Sign-on feature supporting.
Another requirement from cyber security interm of access management is the product complying with:
a. SAML 2.0
b. SAML 1.1
c. WS Federation
d. OpenID or
e. Header based
f. Multi-Factor Authentication

Hi @Ahmed_Sayed, welcome to the community :handshake:

I don’t know anything about the products you mention, but cnMaestro On-Premises supports OpenID Connect and SAML 2.0 for authentication. I don’t believe it currently has built-in support for MFA, but if you are using SAML or OIDC, you would implement MFA in your identity provider.

2 posts were split to a new topic: Problem integrating cnMaestro On-Premises with Cisco ISE

So we are almost a year later is there any progress on the single sign on

Hi Alex, welcome to the Cambium Community :handshake:

What type of single sign on are you looking for? For cnMaestro On-Premises we support Open ID Connect and SAML 2.0. For cnMaestro Cloud, we support SAML 2.0.

Hi Simon

It is for the cloud so then SAML 2.0.

Great! In that case, please raise a customer support ticket asking for help setting up SSO for cnMaestro Cloud, and we can proceed from there