https://community.cisco.com/t5/network-access-control/substituting-okta-for-rsa/m-p/4897916#M583246 <P>SAML IdP can only be used for specific portal-based flows in ISE. See the <A href="https://www.cisco.com/c/en/us/td/docs/security/ise/3-2/admin_guide/b_ise_admin_3_2/b_ISE_admin_32_asset_visibility.html#concept_6878301F1F7C460585A4A267ECF77723" target="_blank" rel="noopener">Admin Guide</A> for more info.</P> <P>If you need to use SAML for VPN + MFA, you would likely need to move to a different flow where the VPN headend (ASA/FTD) performs the Authentication directly against Okta using SAML and then hands off to ISE to perform Authorization only.</P> <P>VPN headend &lt;-&gt; Okta SAML authC -&gt; ISE AuthZ only</P> <P>Example ASA + Okta SAML config:<BR /><A href="https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-Cisco-ASA-VPN.html" target="_blank">https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-Cisco-ASA-VPN.html</A></P> <P>Example ASA RADIUS server config for ISE Authorization only:</P> <PRE>aaa-server ISE_RAD protocol radius<BR /> authorize-only<BR /> interim-accounting-update<BR /> dynamic-authorization</PRE> Wed, 02 Aug 2023 23:20:39 GMT Greg Gibbs 2023-08-02T23:20:39Z https://community.cisco.com/t5/network-access-control/substituting-okta-for-rsa/m-p/4897766#M583238 <P>We currently use ISE to process access requests from Global Protect users.&nbsp; The remote GP VPN users are currently using RSA via RADIUS.&nbsp; Works fine, so of course they want to change it up such that ISE forwards to Okta instead of RSA.&nbsp; Both Okta and RSA already talk to our AD environment, so I think it's mostly a matter of creating a new External Identity Source in ISE, and updating the specific Policy Set to use this new source.</P><P>I've not configured ISE with SAML before, and was hoping to find somebody who has been down this road.</P> Wed, 02 Aug 2023 17:05:35 GMT https://community.cisco.com/t5/network-access-control/substituting-okta-for-rsa/m-p/4897766#M583238 fitzie 2023-08-02T17:05:35Z https://community.cisco.com/t5/network-access-control/substituting-okta-for-rsa/m-p/4897916#M583246 <P>SAML IdP can only be used for specific portal-based flows in ISE. See the <A href="https://www.cisco.com/c/en/us/td/docs/security/ise/3-2/admin_guide/b_ise_admin_3_2/b_ISE_admin_32_asset_visibility.html#concept_6878301F1F7C460585A4A267ECF77723" target="_blank" rel="noopener">Admin Guide</A> for more info.</P> <P>If you need to use SAML for VPN + MFA, you would likely need to move to a different flow where the VPN headend (ASA/FTD) performs the Authentication directly against Okta using SAML and then hands off to ISE to perform Authorization only.</P> <P>VPN headend &lt;-&gt; Okta SAML authC -&gt; ISE AuthZ only</P> <P>Example ASA + Okta SAML config:<BR /><A href="https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-Cisco-ASA-VPN.html" target="_blank">https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-Cisco-ASA-VPN.html</A></P> <P>Example ASA RADIUS server config for ISE Authorization only:</P> <PRE>aaa-server ISE_RAD protocol radius<BR /> authorize-only<BR /> interim-accounting-update<BR /> dynamic-authorization</PRE> Wed, 02 Aug 2023 23:20:39 GMT https://community.cisco.com/t5/network-access-control/substituting-okta-for-rsa/m-p/4897916#M583246 Greg Gibbs 2023-08-02T23:20:39Z