Configure AD FS for SAML

Cisco Secure Access uses Security Assertion Markup Language (SAML) to authenticate and authorize web requests from user devices on networks and network tunnels with Web security enabled, and requests to private resources from user devices with Zero Trust (ZT) enabled. To support SAML authentication and authorization, you must configure the integration of an SAML identity provider (IdP) in Secure Access.

Configure Active Directory Federation Services (AD FS) with Secure Access by uploading the AD FS XML metadata file to Secure Access, or alternatively add the AD FS metadata in Secure Access manually.

For information about provisioning users from AD FS to Secure Access, see Provision Users and Groups from Active Directory.

Table of Contents

Prerequisites

For information on prerequisites that apply to all SAML IdPs, see Prerequisites for SAML Authentication.

Note that for AD FS for SAML, we recommend that you bypass web traffic to the id.sse.cisco.com domain on the Secure Access secure web gateway (SWG).

Procedure

Step 1 – Choose an Authentication Method

  1. Navigate to Connect > Users and Groups and click Configuration Management.
  1. Navigate to SSO authentication and click Configure.
  1. For Authentication Method, choose Security Assertion Markup Language (SAML), and then click Next.

Step 2 – Add an Identity Provider

  1. For Identity Provider, choose ADFS. Secure Access supports various IdPs.
  1. (Optional) Enable an organization-specific entity ID.
    • Organization-specific Entity ID—Choose this option when you have multiple Secure Access Orgs and need to configure SAML authentication for Secure Access Internet Security and Zero Trust (ZT) for these Orgs against the same IdP. The Secure Access SAML default common EntityID is saml.fg.id.sse.cisco.com. Secure Access allows you to override the default Secure Access SAML EntityID on a per-Org basis.
  2. For Entity ID URL, click Copy URL to make a local copy of the Secure Access Entity ID URL. The Secure Access SAML default common EntityID is saml.fg.id.sse.cisco.com.
  1. Choose a time interval when a user must authenticate with Secure Access, or select Never.
    The time intervals are:
    • Daily
    • Weekly
    • Monthly
  1. Click Next.

Step 3 – Add the Identity Provider's SAML Metadata to Secure Access

Download the Secure Access Metadata XML file and use the service provider file to configure your instance of AD FS. The Secure Access Metadata XML file includes the Secure Access root certificate. For more information about setting up the service provider metadata in AD FS, see Configure Active Directory Federation Services.

Then, either upload the AD FS SAML metadata XML file to Secure Access or add the SAML metadata directly in Secure Access.

Step 3a – Upload the Identity Provider's SAML Metadata XML File

Download the Secure Access Metadata XML file, configure the SAML IdP, and then upload the IdP's metadata XML file to Secure Access.

  1. Check SAML Metadata XML Configuration.
  1. Click Download service provider XML file to save the Secure Access service provider XML metadata file to your local system.
    The Secure Access service provider (SP) metadata includes the service provider Issuer ID, the assertion consumer endpoint URL information, and the SAML request signing certificate from Secure Access. The Secure Access metadata is required when configuring your IdP.

    Your IdP must send the Cisco Secure Access User principal name in the NameID attribute in the SAML assertion. For more information on configuring your IdP, exporting your IdP metadata, obtaining your IdP details, or downloading your IdP's signing certificate, refer to your vendor's documentation.

  2. Configure your AD FS instance with the Secure Access SAML metadata. Follow the steps in Configure Active Directory Federation Services.

  3. Upload the configured IdP Metadata XML file to Secure Access, and then click Done.
    The IdP's Metadata XML file contains the IdP's root certificate, which is required to integrate the IdP with Secure Access.

Step 3b – Add the Identity Provider's SAML Metadata

Note: If you uploaded your IdP's SAML Metadata XML file to Secure Access, you do not have to complete the following steps.

Download the Secure Access Metadata XML file, configure the SAML IdP, and then add the IdP's metadata in Secure Access.

  1. Check Manual Configuration.
  1. Click Download service provider XML file to save the Secure Access service provider XML metadata file to your local system.
    The Secure Access service provider (SP) metadata includes the service provider Issuer ID, the assertion consumer endpoint URL information, and the SAML request signing certificate from Secure Access. The Secure Access metadata is required when configuring your IdP.
    Your IdP must send the Cisco Secure Access User principal name in the NameID attribute in the SAML assertion. For more information on configuring your IdP, exporting your IdP metadata, obtaining your IdP details, or downloading your IdP signing certificate, refer to your vendor's documentation.

  2. Configure your AD FS instance with the Secure Access SAML metadata. Follow the steps in Configure Active Directory Federation Services.

  3. Enter the identity provider's metadata, and then click Done.

    • Entity ID—A globally unique name for an identity provider.
    • Endpoint—The URL used to communicate with your identity provider.
    • Signing Keys—Your identity provider’s x.509 certificate that is used to sign the authentication request.
    • Signed Authentication Request (optional)—Choose whether you can sign the authentication request for the IdP.

Configure Active Directory Federation Services

  1. Log into AD FS and navigate to Server Manager > Tools > AD FS Management.
  1. In the AD FS Manager, right-click on Trust Relationships and navigate to Relying Party Trusts > Add Relying Party Trust and select Start.
  1. Choose Import data about the relying party from a file and browse for the metadata.xml file downloaded from Secure Access.
  1. For Display name, provide a meaningful name for the trust connection, and then click Next.
  1. Select I do not want to configure multi-factor authentication settings for this relying party trust at this time and click Next.
  1. Select Permit all users to access relying party and click Next.
  1. Verify settings and click Next.
  1. Right-click on the recently created relaying party and select Edit Claim Rules.
  1. Under Issuance Transform Rules, click Add Rule, then choose Send Claims Using a Custom Rule with the following configuration:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] 

=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), query = ";userPrincipalName;{0}", param = c.Value);
  1. Repeat step 7 with the following configuration.
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"] 

=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");
  1. Download the AD FS metadata XML file and save the file on your local system.

Test the Identity Provider Integration

To complete the integration of the SAML IdP with Secure Access, evaluate the single sign-on authentication through the IdP. For more information, see Test SAML Identity Provider Integration.

View the SAML Certificates in Secure Access

Once you have completed the integration of an SAML IdP in Secure Access, you can manage the root certificates used in SAML authentication for Secure Access (service provider) and the SAML IdP. For more information, see Manage Certificates.


Configure Okta for SAML < Configure AD FS for SAML > Configure Duo Security for SAML