topic Re: ISE OKTA SAML Integration for Admin Access to Web GUI in Network Access Control

ISE OKTA SAML Integration for Admin Access to Web GUI

jordanburnett — Wed, 26 Jun 2019 18:23:19 GMT

Hello,

I have a customer that has asked whether we can add two-factor authentication to the Admin Access side of ISE via OKTA as a SAML provider. I have only ever configured this with native AD integration based on a security group.

Does anyone have any idea if the Admin Access (access to the ISE GUI) can be integrated with OKTA?

The ISE 2.6 guide mentions only some of the actual portals for end users, not administrators.

Thanks!

Re: ISE OKTA SAML Integration for Admin Access to Web GUI

howon — Thu, 27 Jun 2019 00:39:52 GMT

No, not currently. SAML is only supported for Guest, Mydevices, Sponsor, and Certificate provisioning portal.

Re: ISE OKTA SAML Integration for Admin Access to Web GUI

jordanburnett — Sun, 30 Jun 2019 12:52:05 GMT

Thanks! Is there any way to do multi-factor authentication for Admin Access?

Re: ISE OKTA SAML Integration for Admin Access to Web GUI

hslai — Sun, 30 Jun 2019 14:43:08 GMT

@jordanburnett wrote:

... Is there any way to do multi-factor authentication for Admin Access?

Yes, MFA does not require SAML. See an example how it can be done at Solved: MFA for ISE admin access? - Cisco Community

Re: ISE OKTA SAML Integration for Admin Access to Web GUI

jmorton1 — Mon, 16 Oct 2023 16:59:09 GMT

Does anyone know if this has changed by chance? It has been 4 years. I was hoping with could do SAML for the admin portal of ISE 3.3

Re: ISE OKTA SAML Integration for Admin Access to Web GUI

Greg Gibbs — Mon, 16 Oct 2023 21:22:59 GMT

Yes, SAML is supported for authentication of the Admin GUI. See this example and see if you can tweak it for your use case.
Configure ISE 3.1 ISE GUI Admin Log in Flow via SAML SSO Integration with Azure AD

Re: ISE OKTA SAML Integration for Admin Access to Web GUI

jmorton1 — Mon, 16 Oct 2023 23:21:44 GMT

Thank you! I will note that I had to deviate from the instructions under the sections 7. Configure Active Directory Group Attribute and Step 4. Configure SAML Groups on ISE. Under 7. Configure Active Directory Group Attribute, instead of giving the group claim a custom name, I had to leave the claim name for groups as the default, http://schemas.microsoft.com/ws/2008/06/identity/claims/groups, and then under Step 4. Configure SAML Groups on ISE, for the group membership attribute, instead of just putting "groups", I had to put http://schemas.microsoft.com/ws/2008/06/identity/claims/groups and then the group mapping worked.

Re: ISE OKTA SAML Integration for Admin Access to Web GUI

BrianRoberson — Thu, 07 Nov 2024 18:33:55 GMT

Hi Jmorton1-

Edit: Sorry Re-read and saw you are probably using Azure AD and not another SAML provider.