Does CIP export username/role information for devices in Free/Open Access if SSO is being processed?
Usernames are exported for devices in Free/Open Access!
Roles are a very different story. Typically we don’t collect role information in SafeConnect if a device is in Free/Open Access. Starting with 6.1.5 a flag has been added to enable this. It can be found on the bottom of the authsetup page. If this is checked, we will collect role information for devices in Free/Open access, if it is unchecked, we won’t. Regardless, if we have role information, and the publisher supports it, we will publish.
Exinda and iboss publishers support roles, as does JSON, syslog and Procera publishers (See here for a full reference to what is included in each publisher). Palo Alto currently does not export roles and the reason for that is that Palo Alto does the role lookups on their side.