Guides
Secure Access Help Center

Prerequisites for SAML Authentication

To configure the integration of a Security Assertion Markup Language (SAML) identity provider (IdP) with Cisco Secure Access, you must meet the requirements outlined in this guide.

Secure Access Service Provider Metadata

  • Secure Access Entity ID—saml.fg.id.sse.cisco.com
  • Secure Access Entity URL—fg.id.sse.cisco.com/gw/auth/acs/response

Requirements

  • Full Admin user role. For more information, see Manage Accounts.
  • Provision users and groups from your organization in Secure Access. The users and groups must match the identities obtained from SAML. For more information, see Manage Users and Groups.
  • Download your IdP SAML metadata file in XML format.
  • The SAML metadata must have a signing key.
  • Configure SAML with an identity provider (IdP) that supports SAML 2.0 POST profiles.
  • Ensure that traffic to your IdP URL is bypassed on the SWG to avoid an authentication loop. For more information, see Manage Domains.
  • Enable cookies for your browser. For more information, see your browser's documentation.
  • Install the Cisco Secure Access root certificate on all client machines egressing from networks or network tunnels where SAML is enabled. For more information, see Manage Certificates.
  • If you use AD FS for SAML, we recommend that you bypass web traffic to the id.sse.cisco.com domain on the Secure Access secure web gateway (SWG). For other IdPs, send id.sse.cisco.com requests to the SWG, not directly to the internet. For more information about bypassing domains and Secure Access Web security, see Manage Domains.

Enable SAML and Decryption in the Security Profile

  • To obtain the user identity of a device through SAML, enable SAML in the Secure Access security profile for internet access. For more information, see Manage Security Profiles.
  • Enable decryption in the Secure Access security profile for internet access. Secure Access must inspect the Cookie HTTP header to read the SAML cookie. The SAML cookie acts as the authentication token or surrogate. For more information, see Manage Security Profiles.

Encrypted SAML Assertions

Encrypted SAML assertions are a compliance standard in many industries and mitigate the risk of intercepted SAML assertions.

  • Secure Access requires encryption of the whole SAML assertion. Secure Access does not support configuring the IdP to specify EncryptedAttribute or EncryptedID.
  • Secure Access requires SAML assertions encrypted using the key downloaded from Connect > Users and Groups > Configuration Management.
  • Secure Access requires SAML assertions encrypted in sign-then-encrypt order, and will not support SAML assertions encrypted in encrypt-then-sign order.

Configure Integrations with SAML Identity Providers < Prerequisites for SAML Authentication > Configure Microsoft Entra ID for SAML

Updated 7 days ago