Configure Authentication for AD Connectors and VAs
Cisco Secure Access communicates with the deployed Cisco Active Directory (AD) Connectors in your environments. Secure Access makes software syncs and health checks to the AD Connectors and requires that API requests from the AD Connectors use authentication. For information about deploying the Cisco AD Connector, see Connect Active Directory to Secure Access.
To manage the authentication of the communications from the AD Connectors to Secure Access, we recommend that you configure API key credentials for your AD Connector deployments. Your API key credentials apply to all AD Connectors and Secure Access Virtual Appliances that are deployed in your environment.
For more information about authentication and deploying Virtual Appliances, see Configure Authentication for Virtual Appliances.
Note: The API key authentication is available for Secure Access Virtual Appliances version 3.7.0 and newer and the Cisco AD Connector version 1.14.4 or newer. The API keys apply to the Virtual Appliances and the Cisco AD Connectors in the organization.
How to Set Up Your API Credentials
- First, create the Secure Access Key Admin API key and secret.
- Then, use your Secure Access Key Admin API key credentials to generate your Secure Access client API key and secret. Your Secure Access client API key credentials are stored in the AD Connectors and Virtual Appliances that are deployed in the organization.
Important
Secure Access client API key credentials are valid for 90 days.
AD Connectors use the organization's Secure Access client API key credentials to generate an OAuth 2.0 access token, which authorizes API requests from the AD Connectors to Secure Access. The access token is included in every API request from the AD Connector to Secure Access.
Table of Contents
Prerequisites
- Full Admin user role. For more information, see Manage Accounts.
- Cisco AD Connector version 1.14.4 or newer.
Procedure
Create a Secure Access Key Admin API key and secret. Use the Secure Access Key Admin API credentials to generate your Secure Access client API key credentials.
The Secure Access client API key and secret are stored in the AD Connectors that you deploy in your environments. The generated API credentials (key and secret) apply to all AD Connectors in the organization.
Step 1 – Create the Key Admin API Key Credentials
-
Create a Secure Access Key Admin API key. For more information, see Add Key Admin API Keys.
Select each type of permission for the key.Note: Save your Key Admin API key and secret and use these credentials to configure the authentication for the AD Connectors in the organization.
Step 2 – Add the Key Admin API Key Credentials
Add the Secure Access Key Admin API key and secret to the AD Connector in Users and Groups > Configuration Management > API Authentication. Then, generate a Secure Access client API key and secret.
-
Navigate to Connect > Users and User Groups > Configuration Management.
-
Click Advanced Settings.
-
For Key Admin API Key, add the Key Admin API key, and for Key Admin Key Secret, add the Key Admin API key secret. For information about creating the Key Admin API key, see Step 1 – Create the Key Admin API Key Credentials.
-
After you add the Key Admin API key and secret, click Generate Client API Key Pair.
-
Save the Secure Access client API key and secret.
Secure Access updates the client API key and secret automatically every 90 days.
Refresh Client API Key and Secret
Refresh your Secure Access client API key and secret.
-
Navigate to Connect > Users and User Groups > Configuration Management.
-
Click Advanced Settings.
-
Click Refresh.
Secure Access refreshes the client API key and secret.
-
For Refresh Client Keys, check the box to confirm the deletion of the client API key and secret.
-
Click Refresh.
Reset Client API Key
Delete your Secure Access Key Admin API key and Secure Access client API key.
Important
After you delete the Key Admin API key and client API key, existing AD Connector deployments may continue to use the stored Secure Access client API key and secret for up to 90 days.
-
Navigate to Connect > Users and User Groups > Configuration Management.
-
Click Advanced Settings.
-
Click Reset Client API Key.
-
For Reset Client Keys, check the box to confirm the deletion of both the Key Admin API key and client API key for the AD Connectors in the organization.
-
Click Reset.
Manage AD Connectors < Configure Authentication for AD Connectors > Configure Updates on AD Connectors
Updated 5 days ago