Solved: ISE 2.4 integration with G-Suite SSO

raksec · ‎05-16-2019

Hello everyone,

We have the following use cases from a customer for POV. Looking for suggestions on below:

1. G-Suite SSO integration with ISE: The ISE document says, it supports SAML for the following portals: Guest, Sponsor, My Device, Certificate provisioning. Though, G-suite is not in the tested list yet, is this integration possible? If yes, can we do it for internal users?

a) Additionally, ISE supports SSO for Guest and Sponsor users. SSO for Sponsor users makes sense to me but what's the use case of having SSO for Guest users? Guest users are not in AD, they are not supposed to access any internal applications, then what's the point of doing SSO for Guest users?

b) I am trying to understand the SSO flow here and trying to relate it to the use case for internal users. In SAML, ISE acts as a Service Provider. So if we do it for Guest users and once the Guest is authenticated by ID Provider and SSO is done, do ISE open the access for the rest of the internal HTTP/HTTPS applications? Or it does SSO only for Guest portal and not any other application?

Thanks,

Rakesh Kumar

Jason Kunst · ‎05-16-2019

@raksec wrote:

1. G-Suite SSO integration with ISE: The ISE document says, it supports SAML for the following portals: Guest, Sponsor, My Device, Certificate provisioning. Though, G-suite is not in the tested list yet, is this integration possible? If yes, can we do it for internal users?

JAK> if it works with 1 portal it should work with all as they are part of SAML support, we are not going to test all vendors

a) Additionally, ISE supports SSO for Guest and Sponsor users. SSO for Sponsor users makes sense to me but what's the use case of having SSO for Guest users? Guest users are not in AD, they are not supposed to access any internal applications, then what's the point of doing SSO for Guest users?

JAK> for customers using webauth for contractors or employees that don't want to do dot1x. we have enterprises doing this, perhaps for internet only access from their personal devices is an example

They are Central web auth (CWA) portals not guest portals per say and can be used many ways

b) I am trying to understand the SSO flow here and trying to relate it to the use case for internal users. In SAML, ISE acts as a Service Provider. So if we do it for Guest users and once the Guest is authenticated by ID Provider and SSO is done, do ISE open the access for the rest of the internal HTTP/HTTPS applications? Or it does SSO only for Guest portal and not any other application?

JAK> you can decide how to open access depending on your authorizaiton polices and segmentation strategy, the flow is not what does the controls. its the access controls you attach to them

View solution in original post

Jason Kunst · ‎05-16-2019

Can you please separate out your device administration into another post so we can concentrate on smaller items. You can go in and edit your original post

raksec · ‎05-16-2019

Thanks Jason, created another one for device admin.

Jason Kunst · ‎05-16-2019

@raksec wrote:

1. G-Suite SSO integration with ISE: The ISE document says, it supports SAML for the following portals: Guest, Sponsor, My Device, Certificate provisioning. Though, G-suite is not in the tested list yet, is this integration possible? If yes, can we do it for internal users?

JAK> if it works with 1 portal it should work with all as they are part of SAML support, we are not going to test all vendors

a) Additionally, ISE supports SSO for Guest and Sponsor users. SSO for Sponsor users makes sense to me but what's the use case of having SSO for Guest users? Guest users are not in AD, they are not supposed to access any internal applications, then what's the point of doing SSO for Guest users?

JAK> for customers using webauth for contractors or employees that don't want to do dot1x. we have enterprises doing this, perhaps for internet only access from their personal devices is an example

They are Central web auth (CWA) portals not guest portals per say and can be used many ways

b) I am trying to understand the SSO flow here and trying to relate it to the use case for internal users. In SAML, ISE acts as a Service Provider. So if we do it for Guest users and once the Guest is authenticated by ID Provider and SSO is done, do ISE open the access for the rest of the internal HTTP/HTTPS applications? Or it does SSO only for Guest portal and not any other application?

JAK> you can decide how to open access depending on your authorizaiton polices and segmentation strategy, the flow is not what does the controls. its the access controls you attach to them

raksec · ‎05-16-2019

Thanks Jason.

I was looking for a use case to authenticate internal users with SSO through guest portal.

For instance, we configure the guest portal for SAML to authenticate employees. Once the user authenticates to the guest portal, user will be redirected to IDP login page. User enters the login credentials and ISE receives the secure token from IDP. Now user tries to access an internal application. If the application is configured to authenticate users so ISE would play a role and user would not need to re-enter the login credentials.

And I think that's not possible because ISE is a service provider in SSO scenario.

Jason Kunst · ‎05-17-2019

ISE SAML integration is exactly that for employees or contractors connected with the SAML solution. You login to any portal on ise (accept for the admin) or anything in your organization that uses SAML, now that you have a token you can move to other internal web resources and not be prompted for authentication until that token times out.

ISE is not an IDP. Those would be duo ping etc
Our integration Resources are listed here but not limited to them:
Any provider as long as they support saml 2.0
https://community.cisco.com/t5/security-documents/ise-guest-amp-web-authentication/ta-p/3657224#toc-hId-1419293880

Cisco saml provider includes DUO