Secure Access Help Center

Prerequisites for SAML Authentication

To configure the integration of a Security Assertion Markup Language (SAML) identity provider (IdP) with Cisco Secure Access, you must meet certain requirements.

Secure Access Service Provider Metadata

  • Secure Access Entity ID—saml.fg.id.sse.cisco.com
  • Secure Access Entity URL—fg.id.sse.cisco.com/gw/auth/acs/response

Requirements

  • If your organization integrates with AD FS, we recommend that you bypass web traffic to the id.sse.cisco.com domain on the Secure Access secure web gateway (SWG). Otherwise, send id.sse.cisco.com requests to the SWG, not directly to the internet. For more information about bypassing domains and Secure Access Web security, see Manage Domains.
  • Provision users and groups from your organization in Secure Access. The users and groups must match the identities obtained from SAML. For more information, see Manage Users and Groups.
  • Download your identity provider's SAML metadata file in XML format.
  • The SAML metadata must have a signing key.
  • The SAML identity provider (IdP) must support SAML 2.0 POST profiles.
  • Enable cookies for your browser. For more information, see your browser's documentation.

Enable SAML and HTTPS Inspection in the Web Profile

  • To obtain the user identity of a device through SAML, you must enable SAML and HTTPS inspection in the Web profile. For more information, see Manage Web Profiles.
  • HTTPS Inspection enables Secure Access to read the SAML cookie in the Cookie HTTP request header. The SAML cookie acts as the authentication token or surrogate.
  • You must install the Cisco Secure Access root certificate on all client machines egressing from networks or network tunnels where SAML is enabled. For more information, see Manage Certificates.

Configure Integrations with SAML Identity Providers < Prerequisites for SAML Authentication > Configure Azure AD for SAML

Updated 5 months ago