Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4022
Views
1
Helpful
11
Replies

Integration between ISE and ADFS

Go to solution
rlandire
Cisco Employee
Cisco Employee

‎11-13-2017 12:35 PM

Hi team,

I am looking from some help, we are doing an onsite demo with one of our customers in Ecuador. For this, we need to use MS ADFS as SAML provider to ISE. We have been searching about how to do this integration but looks like it is not well documented. As we understand the main problem with this is how to map the attributes returning from ADFS to ISE.

https://cisco-marketing.hosted.jivesoftware.com/message/248362

Also we have opened a case with TAC and they suggest to use a third party vendor for this integration (Ping Federate).

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-21/200545-Configure-ISE-2-1-Sponsor-Portal-with-Pi.html

Please may you confirm if this integration is possible without using a third party vendor? if the answer is yes please may you provide some details about how to do this integration?


Best regards,

Robert Landires

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to jan.murin

‎05-07-2018 09:05 AM - edited ‎09-01-2018 07:10 PM

I need your email address to share a copy of my notes, which were written for our internal use only ~ 20 months ago. It needs re-validated before publishing here. Incidentally, Cisco TAC is working on a similar article.

 

[2018-May-11] I published it a blog -- Notes on ADFS as SAML IdP for ISE User Portals after some clean-ups.

View solution in original post

11 Replies 11

Go to solution
hslai
Cisco Employee
Cisco Employee

‎11-13-2017 12:39 PM

Yes, I will unicast you the info I have.

0 Helpful

Go to solution
rlandire
Cisco Employee
Cisco Employee
In response to hslai

‎11-13-2017 03:45 PM

Thank you very much Hsing-tsu

0 Helpful

Go to solution
jan.murin
Level 1
Level 1
In response to hslai

‎05-07-2018 01:38 AM

Hi, got the same problem. Would like to know how to integrate the ISE (version 2.3) with the ADFS.

Thanks a lot!

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to jan.murin

‎05-07-2018 09:05 AM - edited ‎09-01-2018 07:10 PM

I need your email address to share a copy of my notes, which were written for our internal use only ~ 20 months ago. It needs re-validated before publishing here. Incidentally, Cisco TAC is working on a similar article.

 

[2018-May-11] I published it a blog -- Notes on ADFS as SAML IdP for ISE User Portals after some clean-ups.

Go to solution
jan.murin
Level 1
Level 1
In response to hslai

‎08-15-2018 02:41 AM

Hi,

I came back here after some time. I have read the official document how to integrate sponsor portal with AD FS (https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-23/213352-configure-ise-2-3-sponsor-portal-with-ms.html).

I have to admit that I do not have any knowledge how ADFS works, but we got a problem with the SSO.

We done all the steps described in the document, however the domain user (on a domain computer) is always redirected to the ADFS webpage to enter his credentials before entering the sponsor portal.

I thought that when using ADFS for SSO, the domain user will not be required to enter the credentials anywhere. The user has logged into the computer so the ADFS system should have the credentials and therefore should automatically log the user into the sponsor portal without any intervention from the user.

Or I am missing something?

 

Thanks a lot!

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to jan.murin

‎09-01-2018 07:11 PM

In my notes, I put this as a bullet item:

(ADFS) Update the global settings of the primary authentication to Forms Authentication, because ISE is not supporting other authentication methods (CSCvb32728)

0 Helpful

Go to solution
jan.murin
Level 1
Level 1
In response to hslai

‎09-03-2018 05:46 AM

Hi,

we have that set as described, but still no luck. The user is still redirected to the ADFS portal where the credentials are requested.

To be sure, does the SSO working for the sponsor portal without any interaction from the user? 

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to jan.murin

‎09-03-2018 08:28 AM

Using SAML with ISE is currently supported with form-based authentication so it's expected to redirect to the ADFS portal to login.

I think you are expecting Kerberos auth. For ISE Sponsor Portal, ISE 2.4 has a new option for Kerberos auth -- Portal Settings for Sponsor Portals:

...

  • Allow Kerberos—Use Kerberos to authenticate a sponsor for access to the sponsor portal. Kerberos SSO is performed inside the secure tunnel after the browser establishes the SSL connection with ISE.

...

0 Helpful

Go to solution
jan.murin
Level 1
Level 1
In response to hslai

‎09-03-2018 11:08 PM

Hi,

thanks for that information. Going to test version 2.4.

 

Regards,

Jan

0 Helpful

Go to solution
scott.stapleton
Level 1
Level 1
In response to jan.murin

‎09-21-2018 09:45 AM

Hi Jan,

 

I'm curious if you had luck with getting SSO working with 2.4?

 

Cheers,

Scott

0 Helpful

Go to solution
jan.murin
Level 1
Level 1
In response to scott.stapleton

‎09-23-2018 11:44 PM

Hi Scott,

Not for now, I played with it for a long time without success.

Still waiting for some help from the local cisco guy, so maybe in the near future I will have more information.

 

0 Helpful
Customers Also Viewed These Support Documents