HPE Compute Ops Management PowerShell Library

The HPE Compute Ops Management PowerShell library (HPECOMCmdlets) offers a comprehensive suite of cmdlets designed to manage and automate your HPE GreenLake environment. By leveraging this library, users can seamlessly interact with HPE GreenLake and Compute Ops Management services directly from the PowerShell command line, enabling efficient integration into existing automation workflows and enhancing operational efficiency.

This library is actively maintained with continuous updates to support new HPE GreenLake features as they are released.

Latest Release

Version	Downloads	Status	PowerShell
1.0.18

Table of Contents

• Documentation & Tutorials
• Quick Start
• Requirements
• Best Practices & Performance Considerations
• Supported Authentication Methods
  • Single-factor authentication with HPE Account
  • Multi-factor authentication (MFA) with HPE Account
  • SAML Single Sign-On (SSO) with passwordless authentication
• Installation
• Upgrade
• How to Connect to HPE GreenLake and Compute Ops Management
• Support
• Troubleshooting
• Disclaimer
• Additional Resources
• License

Documentation & Tutorials

📘 Blog & Guides: For detailed insights, step-by-step tutorials, and the latest updates, visit:

• ✨ PowerShell Library for HPE Compute Ops Management - Main blog with examples and best practices
• 🎯 Configuring SAML SSO with HPE GreenLake and Passwordless Authentication - Complete setup guide for integrating Okta, Microsoft Entra ID, and PingIdentity with HPE GreenLake using passwordless authentication methods for this PowerShell module

---

Quick Start

Get up and running in 3 steps:

1. Install the module

   Install-Module HPECOMCmdlets

2. Connect with your credentials

   # Connect with SSO (Okta, Entra ID, PingID)
   Connect-HPEGL -SSOEmail "[email protected]" -Workspace "MyWorkspace"
   
   # Connect with HPE Account
   Connect-HPEGL -Credential (Get-Credential) -Workspace "MyWorkspace"

3. Start managing resources

     # List all devices in workspace
     Get-HPEGLDevice
   
     # Get servers from specific COM region
     Get-HPECOMServer -Region "eu-central"
   
     # Add multiple tags to devices
     Get-HPEGLDevice | Add-HPEGLDeviceTagToDevice -Tags "Environment=Production, Location=DataCenter1"
   
     # View subscriptions
     Get-HPEGLSubscription
   
     # Create a new workspace
     New-HPEGLWorkspace -Name "Development" -Type 'Standard enterprise workspace' -Street "123 Main St" -Country "United States"
   
     # Invite users with specific roles
     Send-HPEGLUserInvitation -Email "[email protected]" -Role 'Workspace Administrator'
   
     # Monitor and manage server jobs
     Get-HPECOMJob -Region "eu-central"
     Restart-HPECOMServer -Region "eu-central" -ServerSerialNumber 'CZ12312312' -ScheduleTime (Get-Date).AddHours(6)
   
     # Browse available firmware bundles
     Get-HPECOMFirmwareBundle -Region "eu-central"
   
     # Organize servers into groups
     Get-HPECOMGroup -Region "us-west"
     New-HPECOMGroup -Region "us-west" -Name "Production-Servers"
     Add-HPECOMServerToGroup -Region "us-west" -ServerSerialNumber "J208PP0026" -GroupName "Production-Servers"

   📦 More Examples: Explore the Zero Touch Automation script for comprehensive command reference.

4. Disconnect when done

   Disconnect-HPEGL

Troubleshooting & Help

# Get detailed help for any cmdlet
Get-Help Connect-HPEGL -Full
Get-Help Set-HPEGLWorkspaceSAMLSSODomain -Examples

# Enable verbose output for debugging
Connect-HPEGL -SSOEmail "[email protected]" -Workspace "Production" -Verbose

# List all available cmdlets
Get-Command -Module HPECOMCmdlets

💡 Need More Help? Check out the blog tutorials for detailed walkthroughs and real-world examples!

Requirements

• Supported PowerShell Version: 7 or higher.

  Note: PowerShell version 5 is no longer supported.

• Supported PowerShell Editions: PowerShell Core version 7 or higher.

• HPE Account requirements: Required for direct authentication (username/password or MFA)

  ✅ When you need it:

  • Authenticating directly to HPE GreenLake without SSO
  • Using built-in MFA (email or authenticator app)

  ❌ When you don't need it:

  • Using SSO with Okta, Microsoft Entra ID, or PingIdentity
  • Your organization manages authentication through external IdP

  📝 Create your account:

  • Visit: https://common.cloud.hpe.com
  • Setup guide: HPE GreenLake Cloud User Guide

• Role-Based Access Control:

  • Minimum Required Role: Observer (read-only access to resources)

  • Required Service Access:

    • HPE GreenLake Platform service manager
    • Compute Ops Management (access required for each COM instance you intend to manage)

• Workspace Type Compatibility:

  ⚠️ Important: Enhanced Workspace Support

  Enhanced workspaces are not fully supported in the current version of this library. Development is in progress to add complete support for enhanced workspace features.

  If you encounter issues with enhanced workspaces, open an issue with details about your workspace configuration

Best Practices & Performance Considerations

API Rate Limiting

HPE GreenLake APIs implement rate limiting to ensure fair resource allocation and system stability. While most users won't encounter these limits during normal operations, it's important to be aware of them for high-volume scenarios.

When Rate Limits May Apply:

• Bulk Operations: Processing hundreds or thousands of resources in rapid succession
• Parallel Execution: Running multiple scripts or PowerShell sessions simultaneously
• High-Frequency Automation: Scheduled tasks running every few minutes
• Large-Scale Inventory: Retrieving detailed information for many servers at once

Best Practices to Avoid Rate Limiting:

1. Batch Your Operations:

   # Instead of individual calls in a tight loop
   $servers = Get-HPECOMServer -Region "eu-central"
   # Then process results without additional API calls
   $servers | Where-Object { $_.Model -like "*DL380*" }

2. Add Delays for Bulk Operations:

   # For large-scale operations, add a small delay
   Get-HPECOMServer -Region "eu-central" | ForEach-Object {
       Get-HPECOMServerInventory -Region "eu-central" -Name $_.SerialNumber
       Start-Sleep -Milliseconds 100  # Small delay between calls
   }

3. Use Filtering Parameters: Reduce API calls by using cmdlet parameters instead of PowerShell filtering

   # Good: Server-side filtering
   Get-HPECOMServer -Region "eu-central" -Model "ProLiant DL380 Gen10"
   
   # Less efficient: Client-side filtering (more API calls)
   Get-HPECOMServer -Region "eu-central" | Where-Object { $_.Model -eq "ProLiant DL380 Gen10" }

4. Schedule Automation Wisely: For scheduled scripts, avoid intervals shorter than 5-10 minutes unless necessary

If You Encounter Rate Limiting:

• Error: 429 (Too Many Requests) or Rate limit exceeded
• Solution: Wait a few minutes before retrying, or implement exponential backoff in your scripts
• The library includes automatic retry logic for some transient errors

Note: Rate limits vary by API endpoint and are subject to change. For specific limits, consult the Rate limiting page on the HPE GreenLake Developer Portal.

Supported authentication methods

Single-factor authentication with HPE Account

• Requires an HPE Account (username and password)
• Direct authentication using HPE Account credentials
• Suitable for non-SSO environments or testing scenarios

Multi-factor authentication (MFA) with HPE Account

• Supported MFA Methods:

  • Time-based One-Time Password (TOTP) codes via Google Authenticator
  • Push notifications via Okta Verify mobile app

  Note: FIDO2 security keys and biometric authenticators (Windows Hello, Touch ID) are not supported

• MFA Requirements:

  • An HPE account with MFA configured
  • Authenticator app must be installed and linked to your HPE Account
  • If your account uses only security keys or biometrics, you must enable Google Authenticator or Okta Verify in your account settings
  • When both methods are available, Okta Verify push notifications take precedence

SAML Single Sign-On (SSO) with passwordless authentication

⚠️ Important: Testing & Environment Variations

While this library has been tested with Okta, Microsoft Entra ID, and PingIdentity in standard configurations, Identity Provider implementations can vary significantly across organizations due to:

• Custom authentication policies and security settings
• Regional differences and cloud environments
• Organization-specific configurations and restrictions
• Version differences in IdP software

If you encounter authentication issues specific to your environment:

• 🐛 Report Bugs: Open an issue
• 💬 Get Help: GitHub Discussions
• 📘 Check Guide: SAML SSO Configuration Tutorial

• Supported Identity Providers:

  Identity Provider	Implementation	Status	Push Notifications	TOTP Codes	Number Matching	Timeout	Cloud Environment	Last Tested
  Okta	Okta SAML + Okta Verify	✅ Fully Supported	✅ Yes	✅ Yes	Optional	2 min	All Okta regions	Nov-2025
  Microsoft Entra ID	Entra ID SAML + Microsoft Authenticator	✅ Fully Supported	✅ Yes	❌ No	Mandatory	2 min	Commercial cloud only	Nov-2025
  PingIdentity	PingOne SAML + PingID MFA	✅ Fully Supported	✅ Yes	✅ Yes	Optional	2 min	All PingOne regions	Nov-2025
  PingIdentity	PingFederate SAML + PingID MFA	⚠️ Not Tested	✅ Expected	✅ Expected	Optional	2 min	All PingOne regions	Nov-2025

• ⚠️ Unsupported Identity Providers

  • Identity Providers not listed in the table above (such as Google Workspace, Salesforce Identity, IBM Security Verify, Auth0, OneLogin, etc.) are not supported by this library.

  • Why? While these providers may support SAML 2.0, their authentication flows differ significantly and have not been tested or implemented in this library.

  • Alternative Authentication Options:

    1. HPE Account: Use direct authentication with or without MFA with Google Authenticator or Okta Verify

       Connect-HPEGL -Credential (Get-Credential) -Workspace "Production"

    2. Request Support: Open a feature request with:

       • Your Identity Provider name and version
       • Authentication methods your organization uses
       • Your specific use case and requirements

• Passwordless Authentication:

  • This library implements passwordless authentication in accordance with industry security best practices recommended by Microsoft, NIST, and FIDO Alliance
  • Uses cryptographic keys and biometric verification to eliminate password-related vulnerabilities including phishing, credential stuffing, and brute force attacks
  • Provides enhanced security while improving user experience by removing password management overhead
  • SSO password authentication is not supported - when using SAML SSO (Okta, Entra ID, PingIdentity), only passwordless methods (push notifications and TOTP) are supported to ensure the highest security level
  • HPE Account password authentication remains supported - direct authentication using HPE Account credentials (username/password) continues to work for non-SSO scenarios

• Authentication Method Support:

  • ✅ Supported: Push notifications (Microsoft Authenticator, Okta Verify, PingID) and TOTP codes

  • ❌ Not Supported: FIDO2 security keys, passkeys, and Windows Hello biometrics

    Recommendation: If your account is configured only for FIDO2/passkey authentication, enable push notifications in your Identity Provider settings for PowerShell access. Push notifications with number matching meet the same phishing-resistant security standards as FIDO2

    Technical Reason: FIDO2/WebAuthn requires browser-native APIs (navigator.credentials) and direct hardware access that are not available in PowerShell automation environments

• SSO Prerequisites:

  • ✅ SAML SSO configured in your HPE GreenLake workspace
  • ✅ Identity Provider configured with HPE GreenLake as a SAML 2.0 application
  • ✅ Passwordless authentication methods enabled (push notifications and/or TOTP)
  • ✅ User has appropriate application access permissions
  • ✅ Domain pre-claimed in workspace (use Get-HPEGLWorkspaceSAMLSSODomain to verify, Set-HPEGLWorkspaceSAMLSSODomain to configure)

  Quick Setup: Use the following cmdlets to manage SAML SSO domains in your workspace:

  • New-HPEGLWorkspaceSAMLSSODomain - Create a new SAML SSO domain
  • Set-HPEGLWorkspaceSAMLSSODomain - Update domain configuration (certificate, attributes, timeouts)
  • Get-HPEGLWorkspaceSAMLSSODomain - View current domain configuration
  • Remove-HPEGLWorkspaceSAMLSSODomain - Remove a domain configuration

  Note: These cmdlets have been tested with standard enterprise workspaces. Enhanced workspace support is currently in development.

• Configuration Guide:

  📘 Complete SAML SSO Setup Guide
  Step-by-step tutorial covering Okta, Microsoft Entra ID, and PingIdentity configuration with passwordless authentication integration. Includes screenshots, troubleshooting tips, and best practices.

  Additional Resources:

  • 📖 HPE GreenLake Cloud User Guide - Official HPE documentation for workspace and authentication configuration
  • 💬 GitHub Discussions - Community support and Q&A

How to Install the Module

To install the library, use the following command to download and install the module from the official PowerShell Gallery:

# Check PowerShell version
$PSVersionTable.PSVersion  # Should be 7.0 or higher

# Install the module
Install-Module HPECOMCmdlets

# Verify installation
Get-Module HPECOMCmdlets -ListAvailable

# View available cmdlets
Get-Command -Module HPECOMCmdlets

How to Upgrade the Module

If you have already installed the module and need to update it to the latest version, run the following commands:

# Step 0: Unload the module from memory (if currently loaded)
Remove-Module HPECOMCmdlets -Force -ErrorAction SilentlyContinue

# Step 1: Get the currently installed version
$latestVersion = (Get-InstalledModule HPECOMCmdlets | Sort-Object Version -Descending | Select-Object -First 1).Version

# Step 2: Install latest version
Install-Module -Name HPECOMCmdlets -Scope CurrentUser -Force -AllowClobber

# Step 3: Uninstall the old version
Uninstall-Module -Name "HPECOMCmdlets" -RequiredVersion $latestVersion

# Step 4: Verify the upgrade
Get-Module HPECOMCmdlets -ListAvailable | Select-Object Name, Version, Path

Important Notes:

• Step 0 (Unload Module): Required to release file locks and clear old code from memory. Without this, Windows may prevent file updates or the old version may remain active even after installation.
• -Scope CurrentUser: Installs to your user profile (~\Documents\PowerShell\Modules\) without requiring administrator privileges. Omit this parameter or use -Scope AllUsers if you have admin rights and want to install for all users.
• Version Verification: Step 4 confirms the upgrade succeeded and shows the installation path to verify the correct version is loaded.

How to Connect to HPE GreenLake and Compute Ops Management

The Connect-HPEGL cmdlet establishes a connection to HPE GreenLake and its associated Compute Ops Management (COM) services. This connection enables you to manage resources across your HPE GreenLake workspace and all configured COM instances.

Connection Scope

• Single Connection: One active connection per PowerShell session via $Global:HPEGreenLakeSession
• Multi-Region COM Access: Automatically connects to all COM instances in your workspace (e.g., eu-central, us-west, ap-northeast)
• Service Coverage: Provides access to the HPE GreenLake platform service and all regional COM instances simultaneously

Session Management

The Connect-HPEGL cmdlet creates a persistent session stored in $Global:HPEGreenLakeSession, which contains:

• Session Information: Web request sessions for authentication and API operations
• API Credentials: Temporary unified API client credentials for HPE GreenLake and Compute Ops Management instances
• OAuth2 Tokens: Access tokens, ID tokens, and refresh tokens with automatic refresh capabilities
• Workspace Details: Workspace ID, name, and organization information
• Token Metadata: Creation timestamps and expiration details

Token Lifecycle:

• Access Tokens: Valid for 2 hours with automatic refresh when they expire
• Refresh Tokens: Used to obtain new access tokens without re-authentication
• Session Persistence: Does not persist across PowerShell restarts
• Manual Disconnect: Use Disconnect-HPEGL to clear the session and invalidate tokens

View Session Details:

# Display current session information
$Global:HPEGreenLakeSession

# View API credentials for connected services
$Global:HPEGreenLakeSession.apiCredentials

# Check token expiration time
$Global:HPEGreenLakeSession.oauth2TokenCreation

💡 Tip: For detailed session properties and structure, use Get-Help Connect-HPEGL -Full and review the OUTPUTS section.

Regional COM Instance Support

When connected, you can target specific COM instances using the -Region parameter in COM-related cmdlets:

# Manage servers in European COM instance
Get-HPECOMServer -Region "eu-central"

# Manage servers in US COM instance  
Get-HPECOMServer -Region "us-west"

Authentication Examples

Example 1: Direct authentication with username and password

• Bypasses SSO federation and requires an HPE account

  $cred = Get-Credential
  Connect-HPEGL -Credential $cred -Workspace "Production" -RemoveExistingCredentials

• The -RemoveExistingCredentials parameter removes all existing API credentials generated by previous connections. Use this to resolve the "maximum of 7 personal API clients" error by clearing unused credentials.

• Upon successful connection, a $Global:HPEGreenLakeSession object is created and displayed, containing your authentication context and connection details

  

Example 2: SAML SSO with Okta (push notification with number matching)

• Uses Okta SAML federation with Okta Verify push notifications

• Number matching provides phishing-resistant authentication

  Connect-HPEGL -SSOEmail "[email protected]" -Workspace "Production"

  💡 Tip: Add -RemoveExistingCredentials if you encounter "maximum of 7 personal API clients" error. This clears old API credentials from previous sessions.

• During the authentication process, a verification number (e.g., 59) will be displayed in the PowerShell console

  

• Approve the push notification sent to Okta Verify by tapping the matching number on your mobile device.

  

Example 3: SAML SSO with Microsoft Entra ID (push notification with number matching)

• Uses Microsoft Entra ID SAML federation with Microsoft Authenticator

• Number matching is mandatory and provides phishing-resistant authentication

  Connect-HPEGL -SSOEmail "[email protected]" -Workspace "Production"

  💡 Tip: Add -RemoveExistingCredentials if you encounter "maximum of 7 personal API clients" error. This clears old API credentials from previous sessions.

• During the authentication process, a verification number (e.g., 59) will be displayed in the PowerShell console

  

• Approve the push notification sent to Microsoft Authenticator by typing the matching number on your mobile device.

  

Example 4: SAML SSO with PingIdentity (push notification)

• Uses PingIdentity SAML federation with PingID mobile app

• Supports both push notifications and TOTP codes for flexible authentication

  Connect-HPEGL -SSOEmail "[email protected]" -Workspace "Production"

  💡 Tip: Add -RemoveExistingCredentials if you encounter "maximum of 7 personal API clients" error. This clears old API credentials from previous sessions.

• During the authentication process, a push notification will be sent to your PingID mobile app

  

• Approve the push notification on your mobile device to complete authentication

  

Example 5: Connect without specifying workspace

• If you have not yet created any workspace, you must omit the -Workspace parameter.

  Connect-HPEGL -SSOEmail "[email protected]"

• After successful authentication, you can create a new workspace using New-HPEGLWorkspace.

Example 6: Enable verbose output for troubleshooting

• Use the -Verbose parameter to display detailed authentication flow information for debugging connection issues

  Connect-HPEGL -SSOEmail "[email protected]" -Workspace "Production" -Verbose

• The verbose output includes:

  • SAML authentication steps and redirects
  • Identity Provider detection and configuration
  • MFA method selection and status
  • API token generation and validation
  • Workspace connection confirmation

• Useful for diagnosing authentication failures, SSO configuration issues, or timeout problems

---

Connecting to Development/Staging Environments (Optional)

Note: This section is for HPE internal developers and partners who need to test against HPE GreenLake development, staging, or pre-production environments.

By default, Connect-HPEGL connects to the production HPE GreenLake environment. If you need to connect to a development or staging environment, you can override the default API endpoints using environment variables.

Environment Variables for Custom Endpoints:

Variable	Description	Production Default
HPE_COMMON_CLOUD_URL	HPE GreenLake Common Cloud API endpoint	https://common.cloud.hpe.com
HPE_AUTH_URL	HPE Authentication/Authorization endpoint	https://auth.hpe.com
HPE_SSO_URL	HPE SSO endpoint for SAML federation	https://sso.common.cloud.hpe.com

Example: Connect to Development Environment

# Set environment variables for development endpoints
$env:HPE_COMMON_CLOUD_URL = "https://pavo.common.cloud.hpe.com/"
$env:HPE_AUTH_URL = "https://auth-itg.hpe.com"
$env:HPE_SSO_URL = "https://dev-sso.common.cloud.hpe.com"

# Connect using SSO (environment variables are automatically detected)
Connect-HPEGL -SSOEmail "[email protected]" -Workspace "TestWorkspace"

# Or connect with credentials
Connect-HPEGL -Credential (Get-Credential) -Workspace "TestWorkspace"

Example: Connect to Staging Environment

# Set environment variables for staging endpoints
$env:HPE_COMMON_CLOUD_URL = "https://staging-common.cloud.hpe.com"
$env:HPE_AUTH_URL = "https://staging-auth.hpe.com"
$env:HPE_SSO_URL = "https://staging-sso.common.cloud.hpe.com"

# Connect to staging
Connect-HPEGL -SSOEmail "[email protected]" -Workspace "StagingWorkspace"

Clearing Environment Variables:

To return to production endpoints, remove the environment variables:

# Clear custom environment variables
Remove-Item env:HPE_COMMON_CLOUD_URL -ErrorAction SilentlyContinue
Remove-Item env:HPE_AUTH_URL -ErrorAction SilentlyContinue
Remove-Item env:HPE_SSO_URL -ErrorAction SilentlyContinue

# Next connection will use production endpoints
Connect-HPEGL -SSOEmail "[email protected]" -Workspace "Production"

Important Notes:

• ⚠️ Development and staging environments may have different data, user accounts, and configurations than production
• ⚠️ Test workspaces and resources in non-production environments should not be used for production workflows
• ⚠️ API behavior in development/staging environments may differ from production
• ⚠️ Contact your HPE representative for access to non-production environments
• 💡 These environment variables persist only for the current PowerShell session unless you set them at the system level

---

Support

Community Support

This is a community-supported library maintained by Lionel Jullien (HPE employee). It is not an official HPE product and is not covered by HPE's commercial support agreements.

Getting Help:

• 🐛 Bug Reports & Feature Requests: Open a new issue on the GitHub issue tracker
• 💬 Questions & Discussions: Join our GitHub Discussions for general questions, tips, and community support
• 📘 Tutorials & Guides: Visit my blog for detailed walkthroughs: PowerShell Library for HPE Compute Ops Management
• 📖 Documentation: Use Get-Help <cmdlet-name> -Full for comprehensive cmdlet documentation

Response Time:

• Community support is provided on a best-effort basis
• Issues are typically reviewed within 1-3 business days
• Complex issues may require additional time for investigation

Contributing:

• Community contributions are welcome! See the repository for contribution guidelines
• Share your scripts and use cases in GitHub Discussions

Official HPE Support

For questions about:

• HPE GreenLake Platform: Contact HPE Support or consult the HPE GreenLake Cloud User Guide
• Compute Ops Management: Refer to the HPE Compute Ops Management User Guide
• API Documentation: Visit the HPE GreenLake Developer Portal

Common Issues and Solutions

"Maximum of 7 personal API clients exceeded"

Error Message: Failed to create API client: Maximum number of personal API clients (7) exceeded.

Cause: HPE GreenLake limits each user to 7 active API credentials. Old sessions from previous connections accumulate over time if not properly cleaned up.

Solutions:

1. Use -RemoveExistingCredentials parameter (Recommended):

   # For direct authentication
   Connect-HPEGL -Credential $cred -Workspace "Production" -RemoveExistingCredentials
   
   # For SSO authentication
   Connect-HPEGL -SSOEmail "[email protected]" -Workspace "Production" -RemoveExistingCredentials

   This automatically removes old API credentials before creating a new one.

2. Manual cleanup (if needed):

   • Log into HPE GreenLake Common Cloud Console
   • Navigate to Manage Account → API Credentials
   • Delete unused API clients manually
   • Look for credentials with names like "PS_Library_Temp_Credential" from previous sessions

Prevention:

• Always use Disconnect-HPEGL when finished to properly clean up credentials
• Include -RemoveExistingCredentials in automation scripts to prevent accumulation
• Regularly audit and remove unused API credentials from your account

---

"SSO configuration issue detected" or "Domain not configured for SSO"

Error Message: Authentication failed: SSO configuration issue detected. The domain for '[email protected]' is not configured for SSO or the SSO setup is incomplete.

Cause: The email domain is not properly configured for SSO in HPE GreenLake, or the SSO federation setup is incomplete.

Solutions:

1. Verify Domain Pre-Claim:

   • Log into HPE GreenLake Common Cloud Console as a Workspace Administrator
   • Navigate to Manage Workspace → Domains
   • Confirm your email domain (e.g., @company.com) is listed and claimed (verified)

2. Verify SSO Configuration:

   • Ensure SAML SSO is configured for your workspace
   • Navigate to Manage Workspace → SSO configuration → Authentication policy
   • Confirm the Identity Provider connection is correct
   • Test SSO authentication in a browser first before using PowerShell

3. Check Email Domain:

   • Verify you're using the correct email address associated with your SSO domain
   • Ensure the domain matches the one configured in HPE GreenLake (e.g., [email protected] not [email protected])

4. Contact Administrator:

• If the domain is not claimed, your Workspace Administrator must:
  • Pre-claim the domain in Manage Workspace → Domains
  • Complete SAML SSO setup following the Configuring SAML SSO with HPE GreenLake and Passwordless Authentication guide
  • Refer to the HPE GreenLake Cloud User Guide for additional configuration details

Note: This error occurs before reaching your Identity Provider, indicating a configuration issue at the HPE GreenLake level, not with Okta/Entra ID/PingIdentity.

"Timeout! MFA push notification was not approved"

Error Messages:

• Timeout! Microsoft Authenticator push notification was not approved within 2 minutes
• Timeout! Okta Verify push notification was not approved within 2 minutes
• Timeout! PingID push notification was not approved within 2 minutes

Cause: Authentication timeout while waiting for user to approve the push notification.

Solutions:

• Approve the push notification within the 2-minute timeout period
• Ensure your mobile device has an active internet connection
• Verify your authenticator app is open and signed in
• Use a TOTP code as an alternative (available for Okta and PingIdentity)

"Microsoft Authenticator push notification was denied"

Error Message: Microsoft Authenticator push notification was denied. The user either clicked 'It's not me' or entered an invalid number.

Cause: User rejected the authentication request or entered an incorrect verification number.

Solutions:

• Re-run the authentication command and approve the request
• For Microsoft Entra ID: Carefully enter the exact number displayed in PowerShell
• Confirm the authentication request is legitimate before approving

"Authenticator not enrolled" (General Guidance)

Typical Scenarios:

• Okta: "Okta Verify authenticator not found"
• PingIdentity: PingID not properly enrolled
• Microsoft Entra ID: Passwordless phone sign-in not configured

Cause: Required MFA method is not enrolled for the user account.

Solutions:

• Enroll in your organization's supported authenticator: Okta Verify, Microsoft Authenticator, or PingID
• For Microsoft Entra ID: Enable passwordless phone sign-in (standard MFA enrollment is insufficient)
• Configure enrollment through your Identity Provider's self-service portal
• Refer to the Configuring SAML SSO with HPE GreenLake and Passwordless Authentication guide

"Configuration changes not propagating" (General Guidance)

Cause: Identity Provider configuration changes require time to propagate across systems.

Solutions:

• Allow 15-30 minutes for configuration changes to propagate across all systems
• Clear cached authentication sessions in your browser and authenticator apps
• Retry authentication after the propagation period

---

Identity Provider-Specific Issues

Okta Issues

"Okta Verify authenticator not found"

• Error Message: Okta Verify authenticator not found. For Okta setup prerequisites, see: [setup guide]
• Cause: Okta Verify not enrolled or not configured in your Okta tenant
• Solution:
  • Install Okta Verify from your app store
  • Enroll through your Okta self-service portal
  • Contact your IT administrator if the app isn't available

"Multi-factor authentication (TOTP + additional factor) is not supported"

• Error Message: Multi-factor authentication (TOTP + additional factor) is not supported. Please configure Okta to use TOTP alone.
• Cause: Your Okta policy requires TOTP + password (multi-factor)
• Solution: Configure Okta policy to use TOTP alone without additional factors

"Multi-factor authentication (Push + additional factor) is not supported"

• Error Message: Multi-factor authentication (Push + additional factor) is not supported.
• Cause: Your Okta policy requires push + password (multi-factor)
• Solution: Configure Okta policy to use push alone without additional factors

Microsoft Entra ID Issues

"Microsoft Authenticator passwordless sign-in is not fully configured"

• Error Message: Microsoft Authenticator passwordless sign-in is not fully configured. Please wait a few minutes for configuration changes to propagate.
• Cause: Passwordless phone sign-in not fully configured or changes still propagating
• Solution:
  • Wait 15-30 minutes after enrolling passwordless sign-in
  • Verify enrollment at https://mysignins.microsoft.com
  • Ensure "Passwordless sign-in" is enabled (not just standard MFA)
  • Set Microsoft Authenticator as default sign-in method at https://aka.ms/mysecurityinfo

"AADSTS50012: Invalid client secret is provided"

• Note: This is a Microsoft Entra ID service error, not generated by the library
• Cause: Indicates password-based authentication attempted instead of passwordless
• Solution: If you encounter this error, please report it as a bug - the library should only use passwordless methods

PingIdentity Issues

"PingID not configured or enrolled"

• Typical Scenarios:
  • PingID app not installed or not enrolled
  • User not assigned to PingID in PingOne
  • PingID authentication policy not configured
• Cause: PingID not properly set up for the user account
• Solution:
  • Install PingID mobile app from your app store
  • Complete PingID enrollment through your organization's portal
  • Verify PingID enrollment through PingOne portal
  • Confirm your organization's PingOne region (NA/EU/APAC/CA)
  • Ensure PingID app is up to date
  • Contact your IT administrator if enrollment is not available

Disclaimer

Please note that the HPE GreenLake APIs are subject to change. Such changes can impact the functionality of this library. We recommend keeping the library updated to the latest version to ensure compatibility with the latest API changes.

Want more?

🔗 PowerShell Gallery

• HPE GreenLake Edge-to-Cloud Platform User Guide
• HPE Compute Ops Management User Guide
• HPE GreenLake Developer Portal

License

This library is provided under the MIT License.

📄 See the LICENSE file in this repository for the complete license text.

Key Points:

• ✅ Free to use, modify, and distribute
• ✅ Commercial and private use allowed
• ✅ No warranty provided (use at your own risk)
• ✅ Attribution required when redistributing