SAML configuration for ISE, can SSO Binding URL/Port be changed?

afrazer — Tue, 05 Nov 2024 18:50:08 GMT

Hi,

I have and an environment with Microsoft Entra ID, providing SAML/SSO for administration access to ISE. Internally this works, and administrators are able to login using their Entra Creds.

I also have Zscaler, and use the Client Portal to provide web based access to a variety of things for 3rd partys/contractors. The Zscaler Client portal, only listens on port 443, and 80. It can redirect traffic to to other ports internally. However to do so, i'd need to be able to change the URL of the SSO binding.

my ise server's host name is akl-01.radius.XXX.cloud and it reponds on 443 as expected. The configuration provides this location for the SAML assertion. You can see the base URL is the same. and that is where i get unstuck.

<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://akl-01.radius.XXXXX.cloud:8443/portal/SSOLoginResponse.action" index="0"/>

Is it possible for me to set up a different Host name for the assertion? something like akl-01.saml4radius.XXXX.cloud ?
If i coudl do this, it would allow me to do some redirections..

Re: SAML configuration for ISE, can SSO Binding URL/Port be changed?

Greg Gibbs — Wed, 06 Nov 2024 03:50:45 GMT

The Assertion is bound to the portal and the respective interface. The only way I can think of that might work would be to enable a second interface on ISE, create a static host entry for that interface, and move the Portal to use that interface.

topic Re: SAML configuration for ISE, can SSO Binding URL/Port be changed? in Network Access Control

SAML configuration for ISE, can SSO Binding URL/Port be changed?

Re: SAML configuration for ISE, can SSO Binding URL/Port be changed?