Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
652
Views
0
Helpful
4
Replies

Cisco ISE : linking a sponsor with a sponsor email

Jeremy Gibbons
Level 1
Level 1

‎04-06-2016 03:59 AM - edited ‎03-10-2019 11:39 PM

Hello,

I have an issue with ISE 1.4.

We have added a connection to our Active Directory, targeting Domain Users, such that any valid AD user can be a sponsor on the sponsor portal.

We have also enabled auto-sponsoring, such that a Guest can provide a sponsor's email address to request credentials.

The problem is that ISE doesn't seem to be able to match the sponsor email with a sponsor account read from AD. Consequently, although the targetted sponsor does receive an email, anyone who logs into the sponsor portal can see *all* guest access requests, regardless of whether they were the sponsor the guest had sent the request to.

This is both confusing for the users, and the cause of all sorts of fun issues where a sponsor who sees requests not intended for him just deletes them.

Does anyone know if there is a better way to do this ? I do not want to go back to having small groups of sponsors...

Thanks,

Labels:
0 Helpful
4 Replies 4

Jimmy Symoens
Level 1
Level 1

‎10-19-2016 11:45 PM

Only internal user database or SSO sources support the link between the sponsor e-mail account and the sponsor user.

If you go to the sponsor group settings and hover over the info-icon next to 'Only pending accounts assigned to this sponsor' approval setting, it will show you a tooltip explaining exactly what I said here.

Hope it helps...

0 Helpful

770801tvdhaar
Level 1
Level 1

‎11-01-2016 12:33 PM

Did you find a working solution? I too don't want to have small groups of sponsors. It seems meaningless to add users to the local DB when we already have a competent AD connector within ISE 2.1.

I will look into SAML but this too seems overkill just for logging into the sponsor portal.

0 Helpful

Jeremy Gibbons
Level 1
Level 1
In response to 770801tvdhaar

‎11-02-2016 03:07 AM

On our end we are actually eager to implement SAML. The only reason we didn't in the first place was because ISE only supported a short list of non-standard-SAML federation servers before the latest updates. So that's how we are going to proceed.

We will probably have to mess with the groups somehow so that 99% of users see only their requests, and the remaining 1% have the ability to view a larger set for troubleshooting and the like.

0 Helpful

Jimmy Symoens
Level 1
Level 1
In response to Jeremy Gibbons

‎11-02-2016 03:25 AM

I implemented SAML for the sponsor portal about two weeks ago, using an existing ADFS setup.

The SAML part works fine, as long as you map the correct attributes, but the entire portal stopped working... What's the use of SSO if everything after the actual sign-on returns an application 500 error, eh?

Still have a case open... But be sure to report back on how SAML is working out for you (and which IdP).

0 Helpful
Customers Also Viewed These Support Documents