
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-13-2017 12:35 PM
Hi team,
I am looking from some help, we are doing an onsite demo with one of our customers in Ecuador. For this, we need to use MS ADFS as SAML provider to ISE. We have been searching about how to do this integration but looks like it is not well documented. As we understand the main problem with this is how to map the attributes returning from ADFS to ISE.
https://cisco-marketing.hosted.jivesoftware.com/message/248362
Also we have opened a case with TAC and they suggest to use a third party vendor for this integration (Ping Federate).
Please may you confirm if this integration is possible without using a third party vendor? if the answer is yes please may you provide some details about how to do this integration?
Best regards,
Robert Landires
Solved! Go to Solution.
- Labels:
-
Identity Services Engine (ISE)
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-07-2018 09:05 AM - edited 09-01-2018 07:10 PM
I need your email address to share a copy of my notes, which were written for our internal use only ~ 20 months ago. It needs re-validated before publishing here. Incidentally, Cisco TAC is working on a similar article.
[2018-May-11] I published it a blog -- Notes on ADFS as SAML IdP for ISE User Portals after some clean-ups.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-13-2017 12:39 PM
Yes, I will unicast you the info I have.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-13-2017 03:45 PM
Thank you very much Hsing-tsu
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-07-2018 01:38 AM
Hi, got the same problem. Would like to know how to integrate the ISE (version 2.3) with the ADFS.
Thanks a lot!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-07-2018 09:05 AM - edited 09-01-2018 07:10 PM
I need your email address to share a copy of my notes, which were written for our internal use only ~ 20 months ago. It needs re-validated before publishing here. Incidentally, Cisco TAC is working on a similar article.
[2018-May-11] I published it a blog -- Notes on ADFS as SAML IdP for ISE User Portals after some clean-ups.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-15-2018 02:41 AM
Hi,
I came back here after some time. I have read the official document how to integrate sponsor portal with AD FS (https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-23/213352-configure-ise-2-3-sponsor-portal-with-ms.html).
I have to admit that I do not have any knowledge how ADFS works, but we got a problem with the SSO.
We done all the steps described in the document, however the domain user (on a domain computer) is always redirected to the ADFS webpage to enter his credentials before entering the sponsor portal.
I thought that when using ADFS for SSO, the domain user will not be required to enter the credentials anywhere. The user has logged into the computer so the ADFS system should have the credentials and therefore should automatically log the user into the sponsor portal without any intervention from the user.
Or I am missing something?
Thanks a lot!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-01-2018 07:11 PM
In my notes, I put this as a bullet item:
(ADFS) Update the global settings of the primary authentication to Forms Authentication, because ISE is not supporting other authentication methods (CSCvb32728)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-03-2018 05:46 AM
Hi,
we have that set as described, but still no luck. The user is still redirected to the ADFS portal where the credentials are requested.
To be sure, does the SSO working for the sponsor portal without any interaction from the user?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-03-2018 08:28 AM
Using SAML with ISE is currently supported with form-based authentication so it's expected to redirect to the ADFS portal to login.
I think you are expecting Kerberos auth. For ISE Sponsor Portal, ISE 2.4 has a new option for Kerberos auth -- Portal Settings for Sponsor Portals:
...
- Allow Kerberos—Use Kerberos to authenticate a sponsor for access to the sponsor portal. Kerberos SSO is performed inside the secure tunnel after the browser establishes the SSL connection with ISE.
...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-03-2018 11:08 PM
Hi,
thanks for that information. Going to test version 2.4.
Regards,
Jan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-21-2018 09:45 AM
Hi Jan,
I'm curious if you had luck with getting SSO working with 2.4?
Cheers,
Scott
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-23-2018 11:44 PM
Hi Scott,
Not for now, I played with it for a long time without success.
Still waiting for some help from the local cisco guy, so maybe in the near future I will have more information.
