11-28-2019 01:17 AM
Hi Folks,
We have done an integration of OKTA with ISE using the SAML ID providers External Identity source option.
Now we want to create rules based on the groups created on the OKTA Universal directory.
We have created 3 groups on OKTA and added users to those groups and manually added the group names of OKTA in ISE
However, in the ISE Identity source sequence, we are not able to select the OKTA Identity Store due to which we cannot use OKTA for authentication.
But, in the Authorization policy, we have the option to select the Groups that we have created on OKTA.
So my question is: Can we use the OKTA Universal Directory for authentication/authorization through ISE as when we tested, we got an error stating that subject not found in identity store.
Thanks,
Pradeep
Solved! Go to Solution.
12-02-2019 11:19 AM
SAML identity store will not show up in the ISS (Identity Source Sequence) as it ISS only contains ID store that can be used to process credential via ISE. Since SAML is only supported on web portals, you can define the SAML on the specific portals for authentication. Authorization can be done via authorization rules as you have noted within the policy rule condition. IOW, SAML cannot be used in ISS, but can use SAML attributes during authorization, so what are experiencing is expected behavior.
12-02-2019 11:19 AM
SAML identity store will not show up in the ISS (Identity Source Sequence) as it ISS only contains ID store that can be used to process credential via ISE. Since SAML is only supported on web portals, you can define the SAML on the specific portals for authentication. Authorization can be done via authorization rules as you have noted within the policy rule condition. IOW, SAML cannot be used in ISS, but can use SAML attributes during authorization, so what are experiencing is expected behavior.
12-02-2019 02:53 PM
Adding to howon's...
Please ensure the attribute designated as "Identity Attribute" in the Advanced Settings in ISE SAML Id Provider is the same one configured for "Subject Name Attribute" in the LDAP.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: