Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
941
Views
0
Helpful
2
Replies

Authentication issue with ISE - OKTA

Go to solution
sagar.pradeep
Level 1
Level 1

‎11-28-2019 01:17 AM

Hi Folks,

 

We have done an integration of OKTA with ISE using the SAML ID providers External Identity source option.
Now we want to create rules based on the groups created on the OKTA Universal directory.
We have created 3 groups on OKTA and added users to those groups and manually added the group names of OKTA in ISE

However, in the ISE Identity source sequence, we are not able to select the OKTA Identity Store due to which we cannot use OKTA for authentication.
But, in the Authorization policy, we have the option to select the Groups that we have created on OKTA.

So my question is: Can we use the OKTA Universal Directory for authentication/authorization through ISE as when we tested, we got an error stating that subject not found in identity store.

 

Thanks,

Pradeep

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
howon
Cisco Employee
Cisco Employee

‎12-02-2019 11:19 AM

SAML identity store will not show up in the ISS (Identity Source Sequence) as it ISS only contains ID store that can be used to process credential via ISE. Since SAML is only supported on web portals, you can define the SAML on the specific portals for authentication. Authorization can be done via authorization rules as you have noted within the policy rule condition. IOW, SAML cannot be used in ISS, but can use SAML attributes during authorization, so what are experiencing is expected behavior.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
howon
Cisco Employee
Cisco Employee

‎12-02-2019 11:19 AM

SAML identity store will not show up in the ISS (Identity Source Sequence) as it ISS only contains ID store that can be used to process credential via ISE. Since SAML is only supported on web portals, you can define the SAML on the specific portals for authentication. Authorization can be done via authorization rules as you have noted within the policy rule condition. IOW, SAML cannot be used in ISS, but can use SAML attributes during authorization, so what are experiencing is expected behavior.

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎12-02-2019 02:53 PM

Adding to howon's...

Please ensure the attribute designated as "Identity Attribute" in the Advanced Settings in ISE SAML Id Provider is the same one configured for "Subject Name Attribute" in the LDAP.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents