topic Re: SAML AuthRequest assertions are not signed by the ISE in Network Access Control

SAML AuthRequest assertions are not signed by the ISE

mtrojcza — Thu, 22 Feb 2018 08:08:11 GMT

Hello Experts,

My customer raised a question about SAML assertions signature. They confirmed that in their integration with Identity Federation the SAML AuthRequest is not signed by ISE:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL=" https://mydevices.example.com:8444/mydevicesportal/SSOLoginResponse.action"; ForceAuthn="false" ID="_94996df0-0a98-11e8-9ab8-380e4d172cf6_DELIMITERportalId_EQUALS94996df0-0a98-11e8-9ab8-380e4d172cf6_SEMIportalSessionId_EQUALSe8349759-d271-40dd-b6a7-9e9b77fe9d31_SEMI_DELIMITERmydevices.par.michelin.com" IsPassive="false" IssueInstant="2018-02-14T16:42:57.491Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" Cacher le texte cité > <samlp:Issuer xmlns:samlp="urn:oasis:names:tc:SAML:2.0:assertion">http://CiscoISE/94996df0-0a98-11e8-9ab8-380e4d172cf6</samlp:Issuer> <saml2p:NameIDPolicy xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AllowCreate="false" /> <saml2p:RequestedAuthnContext xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Comparison="exact" Cacher le texte cité > <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef> </saml2p:RequestedAuthnContext> </samlp:AuthnRequest>

I haven't found any documentation on the matter. Could you please tell me if this is expected and if we can force the signature in any way?

Thanks,

Mateusz

Re: SAML AuthRequest assertions are not signed by the ISE

Nidhi — Thu, 22 Feb 2018 15:05:38 GMT

Reasearching

Re: SAML AuthRequest assertions are not signed by the ISE

Nidhi — Fri, 23 Feb 2018 13:26:30 GMT

Have you checked these 2 documents -

ISE Design & Integration Guides

Lab Config Guide: ISE 2.1 with Ping Fed for Guest Web Auth & Sponsor Portal SAML SSO

meanwhile I have asked our SME to look into it .

Thanks,

Nidhi

Re: SAML AuthRequest assertions are not signed by the ISE

mtrojcza — Fri, 23 Feb 2018 13:33:08 GMT

Hi Nidhi,

Thank you for looking into it. Yes, I have checked the docs you mentioned, but didn't find the level of details needed to answer these doubts...

I will be looking forward to hearing from the SME.

Thanks,

Mateusz

Re: SAML AuthRequest assertions are not signed by the ISE

hslai — Tue, 27 Feb 2018 17:05:07 GMT

Below is to re-iterate what we discussed:

At present, it's not configurable in ISE to sign SAML AuthRequest. Logout requests are the ones with the option to be signed in the SAML advanced settings.

3.1 HTTP Redirect Binding in SAML 2.0 - Wikipedia says

… In practice, all the data contained in a <samlp:AuthnRequest>, such as Issuer which contains the SP ID, and NameIDPolicy, has been agreed between IdP and SP beforehand (via manual information exchange or via SAML metadata). In that case signing the request is not a security constraint. ...

If needed, please go ahead and log an enhancement request.

Re: SAML AuthRequest assertions are not signed by the ISE

kaiychen — Wed, 08 Sep 2021 08:06:19 GMT

May we know is there any change/enhancement on this in latest ISE 3.0 or 3.1 ?

We are doing ISE SAML integration and encounters the same problem.

Thanks for the comments.

Re: SAML AuthRequest assertions are not signed by the ISE

Greg Gibbs — Wed, 08 Sep 2021 22:15:58 GMT

There is still no configuration option for this in ISE 3.0/3.1 and I was not able to find any enhancement request filed related to this.

The customer can use the Make a Wish feature to request this or you can reach out to the PM team internally via cs.co/ise-pm.