Secure Access Help Center

Prerequisites for SAML Authentication

To configure the integration of a Security Assertion Markup Language (SAML) identity provider (IdP) with Cisco Secure Access, you must meet certain requirements.

Secure Access Service Provider Metadata

  • Secure Access Entity ID—saml.fg.id.sse.cisco.com
  • Secure Access Entity URL—fg.id.sse.cisco.com/gw/auth/acs/response

Requirements

  • Full Admin user role. For more information, see Manage Accounts.
  • Provision users and groups from your organization in Secure Access. The users and groups must match the identities obtained from SAML. For more information, see Manage Users and Groups.
  • Download your IdP SAML metadata file in XML format.
  • The SAML metadata must have a signing key.
  • Configure SAML with an identity provider (IdP) that supports SAML 2.0 POST profiles.
  • Ensure that traffic to your IdP URL is bypassed on the SWG to avoid an authentication loop. For more information, see Manage Domains.
  • Enable cookies for your browser. For more information, see your browser's documentation.
  • You must install the Cisco Secure Access root certificate on all client machines egressing from networks or network tunnels where SAML is enabled. For more information, see Manage Certificates.
  • If you use AD FS for SAML, we recommend that you bypass web traffic to the id.sse.cisco.com domain on the Secure Access secure web gateway (SWG). For other IdPs, send id.sse.cisco.com requests to the SWG, not directly to the internet. For more information about bypassing domains and Secure Access Web security, see Manage Domains.

Enable SAML and HTTPS Inspection in the Web Profile

  • To obtain the user identity of a device through SAML, enable SAML in the Secure Access Web profile. For more information, see Manage Web Profiles.
  • Enable HTTPS Inspection in the Secure Access Web profile. Secure Access must inspect the Cookie HTTP header to read the SAML cookie. The SAML cookie acts as the authentication token or surrogate. For more information, see Manage Web Profiles.

Encrypted SAML assertions

Encrypted SAML assertions are a compliance standard in many industries and mitigate the risk of intercepted SAML assertions.

  • Secure Access requires encryption of the whole SAML assertion. Secure Access does not support configuring the IdP to specify EncryptedAttribute or EncryptedID.
  • Secure Access requires SAML assertions encrypted using the key downloaded from Connect > Users and Groups > Configuration Management.
  • Secure Access requires SAML assertions encrypted in sign-then-encrypt order, and will not support SAML assertions encrypted in encrypt-then-sign order.

Configure Integrations with SAML Identity Providers < Prerequisites for SAML Authentication > Configure Azure AD for SAML

Updated about 1 month ago