Documentation

 

Introduction

Use this guide to enable Single Sign-on (SSO) access via SAML to Cisco Identity Services Engine (ISE).

There are several procedures for the Cisco ISE and SecureAuth IdP configurations, including instructions for testing and troubleshooting. 

 


Prerequisites

  • Cisco ISE account
  • SecureAuth IdP version 9.1 or later, with a realm ready for the Cisco ISE integration

 


Cisco ISE configuration steps

The Cisco ISE configuration steps are divided into several sections:

  • Step A: Add external ID source to Cisco ISE – configure Cisco ISE to use external SAML identity provider
  • Step B: Cisco ISE Guest Portal configuration – configure the Guest Portal in Cisco ISE to use an external SAML identity provider
  • Step C: Configure the SecureAuth IdP alternative login on Cisco page – configure the display of the SecureAuth IdP login on the Cisco Guest Portal login page
  • Step D: Export SecureAuth IdP metadata file – export SecureAuth IdP metadata from Cisco ISE

Step A: Add external ID source to Cisco ISE

This procedure explains how to configure Cisco ISE to use an external SAML identity provider to obtain user information for authentication. 

1. In Cisco ISE, select Administration > Identity Management > External Identity Sources

2. On the External Identity Sources tab, select the folder SAML Id Providers

3. Select the SecureAuth check box and click Add.

4. On the General tab, in the Id Provider Name field, enter the name of the identity provider, SecureAuth.

5. Click Save.

The remaining configuration settings depend on the metadata imported from the SecureAuth IdP in later steps.

Step B: Cisco ISE Guest Portal configuration 

This procedure explains how to configure the Guest Portal in Cisco ISE to use an external SAML identity provider to authorize temporary access for external users to internal networks and services.   

1. In Cisco ISE, select the Work Centers tab and in the Guest Access group, click Overview

2. Select the Portals & Components tab and click Guest Portals

3. Click Create

4. Select the Self-Registered Guest Portal option and click Continue

Note: This is not the main portal for the user interaction to SecureAuth IdP. Instead, this is a subportal interaction to verify session status. This portal is called SSOSubPortal. 

5. In the Portal Name field, type the name of the portal.

6. Expand Portal Settings.

7. In the Authentication method field, select SecureAuth

8. Click the Work Centers > Guest Access > Identity Source Sequences link and choose the previously defined External SAML IdP. 

9. Expand Acceptable Use Policy (AUP) Page Settings and clear the Include an AUP page check box. 

10. Expand Post-Login Banner Page Settings and clear the Include a Post-Login Banner page check box.

The Portal flow is SSO Login to Max Devices Reached to Success.

 

11. Save your changes.

12. Go back to Guest Portals and create a new one using the Self-Registered Guest Portal option.

TIP: For more information about repeating these steps, see steps 2 through 4. 

13. In the Portal Name field, type the primary portal name. 

14. Expand Login Page Settings

15. Select the Allow the following identity-provider guest portal to be used for login check box and choose the name of the previously created SSO sub portal. 

16. Expand Acceptable Use Policy (AUP) Page Settings and clear all of the check boxes.

17. Expand Post-Login Banner Page Settings and clear the Include a Post-Login Banner page check box. 

At this point, the portal Guest Flow looks like the following screen capture. 

Step C: Configure the SecureAuth IdP alternative login on Cisco page

To display the SecureAuth IdP login on the Cisco Guest Portal login page, you must configure the alternative login option. 

1. In Cisco ISE, click Portal Page Customization

2. Click the Login section.

 

3. Click Icon



4. Select Portal Customization > Pages > Login

You can preview your changes for a mobile login screen. 

You can also view your changes for a desktop browser login page. 

5. In the Portals Settings and Customizations section, click Save.  

Your changes appear in the Guest Portals section. 

Step D: Export SecureAuth IdP metadata file 

As part of the Cisco ISE configuration with SecureAuth IdP, the SecureAuth IdP metadata file must be exported from Cisco ISE. During the later steps of the SecureAuth IdP configuration, this exported file will need to be imported into SecureAuth IdP.  

1. In Cisco ISE, from the Administration tab, in the Identity Management group, select External identity Sources

2. From the list of folders on the left, expand the SAML Id Providers folder and click SecureAuth

3. Select the Service Provider Info tab. 

4. Next to Export Service Provider Info, click Export

The SecureAuth IdP metadata file SSOPortal.xml downloads in a zip file. 

 


SecureAuth IdP configuration steps

1. Log in to your SecureAuth IdP Admin console. 

Post Authentication tab

Important! To retain your configurations, be sure to click Save often, before leaving the Post Authentication tab page. Once you leave that tab, any unsaved changes are lost. 

2. Select the Post Authentication tab.

Post Authentication section

3. In the Post Authentication section, make the following entry.

a. Set Authenticated User Redirect to SAML 2.0 (SP Initiated) Assertion

 

User ID Mapping section

4. In the User ID Mapping section, make the following entries.

a. Set User ID Mapping to Authenticated User ID.

b. Set Name ID Format to urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.

c. Set Encode to Base64 to False.

SAML Assertion / WS Federation section

 5. In the SAML Assertion / WS Federation section, make the following entries. 

a. Set WSFed Reply To/SAML Target URL to the Cisco ISE URL where users are redirected upon successful authentication. 

b. Set the SAML Consumer URL to the Cisco ISE URL used to accept the SAML assertion. 

c. Set the WSFed/SAML Issuer to the unique name that identifies SecureAuth IdP to Cisco ISE. (Note: This might include the realm number in the URL). 

The value used in the WSFed/SAML Issuer field must match in both the Cisco ISE and SecureAuth IdP configurations.

d. Set the SAML Recipient URL to the identifiable information of the SAML Recipient. 

e. Set AuthnContext Class to PasswordProtectedTransport.

f. Leave the default value in the Signing Cert Serial Number field.  Otherwise, to use a third-party certificate for the SAML assertion, click the Select Certificate link and choose the appropriate certificate.    

g. Set the Domain to the SecureAuth IdP appliance URL or IP address to download the metadata file. 

h. Next to Metadata File, click the Download link to download the SecureAuth IdP metadata file. 

SAML Attributes / WS Federation section

6. In the SAML Attributes / WS Federation section, make the following entries. 

SectionFieldDescription/Recommendation
Attribute 1NameSet to mail
ValueSet to Email 1 
Attribute 2NameSet to memberOf
ValueSet to GroupLIst
Attribute 3NameSet to givenName
ValueSet to First Name
Attribute 4NameSet to userPrincipalName
ValueSet to Aux ID 1
Attribute 5NameSet to objectGUID
ValueSet to Aux ID 2
Attribute 6NameSet to username
ValueSet to Authenticated User ID
Attribute 7NameSet to sn
ValueSet to Last Name

7. Click Save

 


Import SecureAuth IdP metadata to Cisco ISE

After the SecureAuth IdP realm is configured for this integration, you need to import this SecureAuth IdP metadata into the Cisco ISE External SAML IdP Provider Profile.

1. In Cisco ISE, from the Administration tab, in the Identity Management group, click External identity Sources

2. From the list of folders on the left, expand the SAML Id Providers folder and click SecureAuth.  

3. Select the Identity Provider Config tab. 

4. Next to the Import Identity Provider Config File field, click Browse and proceed to import the SecureAuth IdP metadata file that was exported and saved in step 5h. of the procedure SecureAuth IdP Configuration Steps.

5. Verify that the metadata is set correctly on the tabs.

Groups tab

In the Groups tab, the Group Membership Attribute is set to memberOf.

Attributes tab

In the Attributes tab, verify these attributes are included.

Name in AssertionTypeName in ISE
givenNameSTRINGgivenName
mailSTRINGmail
objectGUIDSTRINGobjectGUID
userPrincipalNameSTRINGuserPrincipalName
usernameSTRINGusername

Advanced Settings tab

In the Advanced Settings tab, the verify that the following configurations are set. 

a. In the Advanced Settings group, the Subject Name option is selected. 

b. In the Multi-value attributes group, the Each value in a separate XML element option is selected. 

c. In the Logout Settings group, the Sign logout request check box is cleared. 

 


Test portal URL

This procedure explains how to test the SecureAuth IdP portal URL. 

1. In Cisco ISE, from the Portals and Settings Customization page, click the Portal text URL link > Copy shortcut

2. Open a blank browser page and paste the shortcut link and press Enter. 

Verify that the SecureAuth icon appears as an alternate login. 

 


Troubleshooting SAML authentication

When there are issues with SAML authentication, that info is logged in the ise-psc.log file. This section explains how to troubleshoot issues in various ways. 

By component

This procedure explains how to troubleshoot a component.

1.  In Cisco ISE, from the Administration menu, click Logging

2. On the Logging tab, in the left-hand pane, click Debug Log Configuration. 

3. From the Node List, choose the node you want to troubleshoot.  

4. Set the saml component to the DEBUG log level. 

Command-line interface

To monitor the SAML events, you can access Cisco ISE through the command-line interface (CLI) and type the command:

 show logging application ise-psc.log tail

Download log file

You can download the log file for further analysis. 

1. In Cisco ISE, from the Operations tab, click Download Logs.  

2. Click the ise-psc.log file link to download it.