https://community.cisco.com/t5/network-access-control/integration-between-ise-and-adfs/m-p/3699276#M519934 <P>In my notes, I put this as a bullet item:</P> <P><EM><FONT color="#000080">(ADFS) Update the global settings of the primary authentication to Forms Authentication, because ISE is not supporting other authentication methods (CSCvb32728)</FONT></EM></P> Sun, 02 Sep 2018 02:11:55 GMT hslai 2018-09-02T02:11:55Z https://community.cisco.com/t5/network-access-control/integration-between-ise-and-adfs/m-p/3562712#M519928 <HTML><HEAD></HEAD><BODY><P style="font-size: 12pt; font-family: Calibri, sans-serif; color: #000000;"><SPAN style="font-size: 11pt;">Hi team, </SPAN></P><P></P><P style="font-size: 12pt; font-family: Calibri, sans-serif; color: #000000;"><SPAN style="font-size: 11pt;">I am looking from some help, we are doing an onsite demo with one of our customers in Ecuador. For this, we need to use MS ADFS as SAML provider to ISE. We have been searching about how to do this integration but looks like it is not well documented. As we understand the main problem with this is how to map the attributes returning from ADFS to ISE.</SPAN></P><P style="font-size: 12pt; font-family: Calibri, sans-serif; color: #000000;"><SPAN style="font-size: 11pt;"><A href="https://cisco-marketing.hosted.jivesoftware.com/message/248362" style="color: #954f72; text-decoration: underline;">https://cisco-marketing.hosted.jivesoftware.com/message/248362</A></SPAN></P><P></P><P style="font-size: 12pt; font-family: Calibri, sans-serif; color: #000000;"><SPAN style="font-size: 11pt;">Also we have opened a case with TAC and they suggest to use a third party vendor for this integration (Ping Federate).</SPAN></P><P style="font-size: 12pt; font-family: Calibri, sans-serif; color: #000000;"><SPAN style="font-size: 11pt;"><A href="https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-21/200545-Configure-ISE-2-1-Sponsor-Portal-with-Pi.html" style="color: #954f72; text-decoration: underline;">https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-21/200545-Configure-ISE-2-1-Sponsor-Portal-with-Pi.html</A></SPAN></P><P></P><P style="font-size: 12pt; font-family: Calibri, sans-serif; color: #000000;"><SPAN style="font-size: 11pt;">Please may you confirm if this integration is possible without using a third party vendor? if the answer is yes please may you provide some details about how to do this integration?</SPAN></P><P style="font-size: 12pt; font-family: Calibri, sans-serif; color: #000000;"><SPAN style="font-size: 11pt;"><BR /></SPAN></P><P style="font-size: 12pt; font-family: Calibri, sans-serif; color: #000000;"><SPAN style="font-size: 11pt;">Best regards,</SPAN></P><P style="font-size: 12pt; font-family: Calibri, sans-serif; color: #000000;"><SPAN style="font-size: 11pt;">Robert Landires<BR /></SPAN></P></BODY></HTML> Mon, 13 Nov 2017 20:35:29 GMT https://community.cisco.com/t5/network-access-control/integration-between-ise-and-adfs/m-p/3562712#M519928 rlandire 2017-11-13T20:35:29Z https://community.cisco.com/t5/network-access-control/integration-between-ise-and-adfs/m-p/3562713#M519929 <HTML><HEAD></HEAD><BODY><P>Yes, I will unicast you the info I have.</P></BODY></HTML> Mon, 13 Nov 2017 20:39:41 GMT https://community.cisco.com/t5/network-access-control/integration-between-ise-and-adfs/m-p/3562713#M519929 hslai 2017-11-13T20:39:41Z https://community.cisco.com/t5/network-access-control/integration-between-ise-and-adfs/m-p/3562714#M519930 <HTML><HEAD></HEAD><BODY><P>Thank you very much Hsing-tsu</P></BODY></HTML> Mon, 13 Nov 2017 23:45:36 GMT https://community.cisco.com/t5/network-access-control/integration-between-ise-and-adfs/m-p/3562714#M519930 rlandire 2017-11-13T23:45:36Z https://community.cisco.com/t5/network-access-control/integration-between-ise-and-adfs/m-p/3562715#M519931 <HTML><HEAD></HEAD><BODY><P>Hi, got the same problem. Would like to know how to integrate the ISE (version 2.3) with the ADFS.</P><P>Thanks a lot!</P></BODY></HTML> Mon, 07 May 2018 08:38:56 GMT https://community.cisco.com/t5/network-access-control/integration-between-ise-and-adfs/m-p/3562715#M519931 jan.murin 2018-05-07T08:38:56Z https://community.cisco.com/t5/network-access-control/integration-between-ise-and-adfs/m-p/3562716#M519932 <P><SPAN style="text-decoration: line-through;">I need your email address</SPAN> to share a copy of my notes, which were written for our internal use only ~ 20 months ago. It needs re-validated before publishing here. Incidentally, Cisco TAC is working on a similar article.</P> <P>&nbsp;</P> <P>[2018-May-11] I published it a blog -- <A id="link_149" class="page-link lia-link-navigation lia-custom-event" href="https://community.cisco.com/t5/security-blogs/notes-on-adfs-as-saml-idp-for-ise-user-portals/ba-p/3661806" target="_blank">Notes on ADFS as SAML IdP for ISE User Portals</A><SPAN style="font-size: 10pt;">&nbsp;after some clean-ups.</SPAN></P> Sun, 02 Sep 2018 02:10:46 GMT https://community.cisco.com/t5/network-access-control/integration-between-ise-and-adfs/m-p/3562716#M519932 hslai 2018-09-02T02:10:46Z https://community.cisco.com/t5/network-access-control/integration-between-ise-and-adfs/m-p/3688773#M519933 <P>Hi,</P> <P>I came back here after some time. I have read the official document how to integrate sponsor portal with AD FS (<A href="https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-23/213352-configure-ise-2-3-sponsor-portal-with-ms.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-23/213352-configure-ise-2-3-sponsor-portal-with-ms.html</A>).</P> <P>I have to admit that I do not&nbsp;have any knowledge how ADFS works, but we got a problem with the SSO.</P> <P>We done all the steps described in the document, however the domain user (on a domain computer) is always redirected to the ADFS webpage to enter his credentials before entering the sponsor portal.</P> <P>I thought that when using ADFS for SSO, the domain user will not be required to enter the credentials anywhere. The user has logged into the computer so the ADFS system should have the credentials and therefore should automatically log the user into the sponsor portal without any intervention from the user.</P> <P>Or I am missing something?</P> <P>&nbsp;</P> <P>Thanks a lot!</P> Wed, 15 Aug 2018 09:41:38 GMT https://community.cisco.com/t5/network-access-control/integration-between-ise-and-adfs/m-p/3688773#M519933 jan.murin 2018-08-15T09:41:38Z https://community.cisco.com/t5/network-access-control/integration-between-ise-and-adfs/m-p/3699276#M519934 <P>In my notes, I put this as a bullet item:</P> <P><EM><FONT color="#000080">(ADFS) Update the global settings of the primary authentication to Forms Authentication, because ISE is not supporting other authentication methods (CSCvb32728)</FONT></EM></P> Sun, 02 Sep 2018 02:11:55 GMT https://community.cisco.com/t5/network-access-control/integration-between-ise-and-adfs/m-p/3699276#M519934 hslai 2018-09-02T02:11:55Z https://community.cisco.com/t5/network-access-control/integration-between-ise-and-adfs/m-p/3699725#M519935 <P>Hi,</P> <P>we have that set as described, but still no luck. The user is still redirected to the ADFS portal where the credentials are requested.</P> <P>To be sure, does the SSO working for the sponsor portal without any interaction from the user?&nbsp;</P> Mon, 03 Sep 2018 12:46:29 GMT https://community.cisco.com/t5/network-access-control/integration-between-ise-and-adfs/m-p/3699725#M519935 jan.murin 2018-09-03T12:46:29Z https://community.cisco.com/t5/network-access-control/integration-between-ise-and-adfs/m-p/3699828#M519936 <P>Using SAML with ISE is currently supported with form-based authentication so it's expected to redirect to the ADFS portal to login.</P> <P>I think you are expecting Kerberos auth. For ISE Sponsor Portal, ISE 2.4 has a new option for Kerberos auth --&nbsp;<A href="https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_011100.html#reference_5F10051EBA9046468988DCEB54C60853" target="_blank">Portal Settings for Sponsor Portals</A>:</P> <P>...</P> <UL> <LI><STRONG><SPAN class="ph uicontrol">Allow Kerberos</SPAN></STRONG><EM>—Use Kerberos to authenticate a sponsor for access to the sponsor portal. Kerberos SSO is performed inside the secure tunnel after the browser establishes the SSL connection with ISE.</EM></LI> </UL> <P>...</P> Mon, 03 Sep 2018 15:28:53 GMT https://community.cisco.com/t5/network-access-control/integration-between-ise-and-adfs/m-p/3699828#M519936 hslai 2018-09-03T15:28:53Z https://community.cisco.com/t5/network-access-control/integration-between-ise-and-adfs/m-p/3700113#M519937 <P>Hi,</P> <P>thanks for that information. Going to test&nbsp;version 2.4.</P> <P>&nbsp;</P> <P>Regards,</P> <P>Jan</P> Tue, 04 Sep 2018 06:08:08 GMT https://community.cisco.com/t5/network-access-control/integration-between-ise-and-adfs/m-p/3700113#M519937 jan.murin 2018-09-04T06:08:08Z https://community.cisco.com/t5/network-access-control/integration-between-ise-and-adfs/m-p/3711235#M519938 <P>Hi Jan,</P> <P>&nbsp;</P> <P>I'm curious if you had luck with getting SSO working with 2.4?</P> <P>&nbsp;</P> <P>Cheers,</P> <P>Scott</P> Fri, 21 Sep 2018 16:45:29 GMT https://community.cisco.com/t5/network-access-control/integration-between-ise-and-adfs/m-p/3711235#M519938 scott.stapleton 2018-09-21T16:45:29Z https://community.cisco.com/t5/network-access-control/integration-between-ise-and-adfs/m-p/3711844#M519939 <P>Hi Scott,</P> <P>Not for now,&nbsp;I played with it for a long time without success.</P> <P>Still waiting for some help from the local cisco guy, so maybe in the near future I will have more information.</P> <P>&nbsp;</P> Mon, 24 Sep 2018 06:44:11 GMT https://community.cisco.com/t5/network-access-control/integration-between-ise-and-adfs/m-p/3711844#M519939 jan.murin 2018-09-24T06:44:11Z