https://community.cisco.com/t5/network-security/can-we-do-saml-before-nat/m-p/4936486#M1104888 Based on the nature of SAML (Security Assertion Markup Language) authentication process, it might not be feasible to perform SAML authentication on the Cisco Firepower Threat Defense (FTD) firewall. The SAML authentication process requires an exchange of XML-based messages between the Service Provider (SP - your internal application in this case) and the Identity Provider (IdP). Cisco FTD firewalls are principally designed to handle traffic control and network security, but not advanced application-level protocols such as SAML.<BR /><BR />However, an alternative approach can be considered. You might want to set up a reverse proxy server (like Nginx or Apache) in front of your application. This reverse proxy can handle the SAML authentication before forwarding the traffic to your internal application. The flow would then look like this:<BR /><BR />Flow ---) .com URL---)1.1.1.1--) Hits Reverse Proxy --) SAML(OK) --) Forward to Firewall --) Destination NAT happens to APPLICATION<BR /><BR />Please note, this is a broad solution and actual implementation might vary depending on your specific network layout and requirements. Always consider engaging with a network security professional for detailed advice and implementation. Mon, 09 Oct 2023 09:50:39 GMT Cisco_Virtual_Engineer 2023-10-09T09:50:39Z https://community.cisco.com/t5/network-security/can-we-do-saml-before-nat/m-p/4935628#M1104860 <DIV class="lia-message-template-question-zone"><P>We have an internal application which is accessible on VPN,&nbsp;Currently SAML authentication is configured at application level.</P><P>I'm planning to move it off VPN and have it accessible internally as well.</P><P>What i have proposed is create an external DNS record have it hit an ip on FTD and then it does destination NAT to FQDN and hits the application where SAML authentication happens</P><P>Is it possible to have SAML authenticaton on external IP configured on FTD ? before it enters our network&nbsp;</P><P>Flow ---&gt; .com URL---&gt;1.1.1.1--&gt; Hits FW--&gt; Destination NAT happens to APPLICATION -- SAML--&gt; OK</P><P>Possible Solution ?</P><P>Flow ---&gt; .com URL---&gt;1.1.1.1--&gt; Hits FW--&gt;SAML(OK)--&gt; Destination NAT happens to APPLICATION&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P></DIV><DIV class="lia-message-template-answer-zone"><H2>&nbsp;</H2><P>&nbsp;</P></DIV> Fri, 06 Oct 2023 17:39:45 GMT https://community.cisco.com/t5/network-security/can-we-do-saml-before-nat/m-p/4935628#M1104860 amitpalsingh 2023-10-06T17:39:45Z https://community.cisco.com/t5/network-security/can-we-do-saml-before-nat/m-p/4936486#M1104888 Based on the nature of SAML (Security Assertion Markup Language) authentication process, it might not be feasible to perform SAML authentication on the Cisco Firepower Threat Defense (FTD) firewall. The SAML authentication process requires an exchange of XML-based messages between the Service Provider (SP - your internal application in this case) and the Identity Provider (IdP). Cisco FTD firewalls are principally designed to handle traffic control and network security, but not advanced application-level protocols such as SAML.<BR /><BR />However, an alternative approach can be considered. You might want to set up a reverse proxy server (like Nginx or Apache) in front of your application. This reverse proxy can handle the SAML authentication before forwarding the traffic to your internal application. The flow would then look like this:<BR /><BR />Flow ---) .com URL---)1.1.1.1--) Hits Reverse Proxy --) SAML(OK) --) Forward to Firewall --) Destination NAT happens to APPLICATION<BR /><BR />Please note, this is a broad solution and actual implementation might vary depending on your specific network layout and requirements. Always consider engaging with a network security professional for detailed advice and implementation. Mon, 09 Oct 2023 09:50:39 GMT https://community.cisco.com/t5/network-security/can-we-do-saml-before-nat/m-p/4936486#M1104888 Cisco_Virtual_Engineer 2023-10-09T09:50:39Z