Multiple groups in SAML Assertion in Cisco ISE supported?

MahmoudDawoud0323 — Wed, 04 Jan 2023 23:23:09 GMT

Hello All,

I was doing SAML Authentication for Admin Login, the login works when IdP sends only one group, when it sends multiple groups, ISE only validates the first group sent. I tried in the Advanced settings in the SAML Provider under External identity sources to configure that assertion will include multi value and separated by delimiter: > , I tried with this and with sending only single value and no help. Can someone help me ? Thanks in advance, Debugs below on ISE and attached SAML Response for Assertions, Notice it marked the multiple groups sent normally but only accepted the first one in the end. The moment I change the Groups value in ISE from RSA_NEW to RSA_AUTH , it starts working so there is no issue with certificate or any SAML configuration, it is cornered in this area now, any advise whether ISE parses all groups really?

SAML Response: statusCode:urn:oasis:names:tc:SAML:2.0:status:Success
2023-01-04 22:48:20,081 DEBUG [https-jsse-nio-192.168.100.210-8443-exec-6][] cpm.saml.framework.impl.SAMLAttributesParser -::::- [parseAttributes] Found attribute name : Groups
2023-01-04 22:48:20,081 DEBUG [https-jsse-nio-192.168.100.210-8443-exec-6][] cpm.saml.framework.impl.SAMLAttributesParser -::::- [parseAttributes] Delimeter=<>> is configured for multi value
2023-01-04 22:48:20,081 DEBUG [https-jsse-nio-192.168.100.210-8443-exec-6][] cpm.saml.framework.impl.SAMLAttributesParser -::::- [parseAttributes] Attribute=<Groups> has single value=<RSA_AUTH>, adding value
2023-01-04 22:48:20,081 DEBUG [https-jsse-nio-192.168.100.210-8443-exec-6][] cpm.saml.framework.impl.SAMLAttributesParser -::::- [parseAttributes] Delimeter=<>> is configured for multi value
2023-01-04 22:48:20,081 DEBUG [https-jsse-nio-192.168.100.210-8443-exec-6][] cpm.saml.framework.impl.SAMLAttributesParser -::::- [parseAttributes] Attribute=<Groups> has single value=<Administrators>, adding value
2023-01-04 22:48:20,081 DEBUG [https-jsse-nio-192.168.100.210-8443-exec-6][] cpm.saml.framework.impl.SAMLAttributesParser -::::- [parseAttributes] Delimeter=<>> is configured for multi value
2023-01-04 22:48:20,081 DEBUG [https-jsse-nio-192.168.100.210-8443-exec-6][] cpm.saml.framework.impl.SAMLAttributesParser -::::- [parseAttributes] Attribute=<Groups> has single value=<RSA_NEW>, adding value
2023-01-04 22:48:20,081 DEBUG [https-jsse-nio-192.168.100.210-8443-exec-6][] cpm.saml.framework.impl.SAMLAttributesParser -::::- [parseAttributes] Delimeter=<>> is configured for multi value
2023-01-04 22:48:20,081 DEBUG [https-jsse-nio-192.168.100.210-8443-exec-6][] cpm.saml.framework.impl.SAMLAttributesParser -::::- [parseAttributes] Attribute=<Groups> has single value=<RSA_MFA>, adding value

2023-01-04 23:15:23,335 DEBUG [https-jsse-nio-192.168.100.210-8443-exec-7][] cpm.saml.framework.impl.SAMLAttributesParser -::::- [parseAttributes] Set on IdpResponse object - attribute<Groups> value=<RSA_AUTH,Administrators,RSA_NEW,RSA_MFA,testcp,LDAP_ONLY>

l IDPResponse:
IdP ID: RSA_Cloud_SAML
Subject: mahmoud.dawoud@dawoudlimited.com
Group: RSA_AUTH
SAML Status Code:urn:oasis:names:tc:SAML:2.0:status:Success
SAML Success:true
SAML Status Message:null
SAML email:mdawoud
SAML Exception:nullUserRole : NONE

Re: Multiple groups in SAML Assertion in Cisco ISE supported?

MahmoudDawoud0323 — Wed, 04 Jan 2023 23:45:02 GMT

Found the solution as this seems to be indeed a bug , https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa17470

Will apply patch 3 and try out the fix 🙂

Re: Multiple groups in SAML Assertion in Cisco ISE supported?

IBMintdev — Tue, 23 May 2023 09:34:21 GMT

@MahmoudDawoud0323 Hi Mahmoud, have you managed to fix this after applying patch #3 ?

topic Multiple groups in SAML Assertion in Cisco ISE supported? in Network Access Control

Multiple groups in SAML Assertion in Cisco ISE supported?

Re: Multiple groups in SAML Assertion in Cisco ISE supported?

Re: Multiple groups in SAML Assertion in Cisco ISE supported?