Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1337
Views
1
Helpful
6
Replies

ISE 2.4 integration with G-Suite SSO

Go to solution
raksec
Cisco Employee
Cisco Employee

‎05-16-2019 04:59 AM - edited ‎05-16-2019 05:17 AM

Hello everyone,

 

We have the following use cases from a customer for POV. Looking for suggestions on below:

 

1. G-Suite SSO integration with ISE: The ISE document says, it supports SAML for the following portals: Guest, Sponsor, My Device, Certificate provisioning. Though, G-suite is not in the tested list yet, is this integration possible? If yes, can we do it for internal users?

 

a) Additionally, ISE supports SSO for Guest and Sponsor users. SSO for Sponsor users makes sense to me but what's the use case of having SSO for Guest users? Guest users are not in AD, they are not supposed to access any internal applications, then what's the point of doing SSO for Guest users?

 

b) I am trying to understand the SSO flow here and trying to relate it to the use case for internal users. In SAML, ISE acts as a Service Provider. So if we do it for Guest users and once the Guest is authenticated by ID Provider and SSO is done, do ISE open the access for the rest of the internal HTTP/HTTPS applications? Or it does SSO only for Guest portal and not any other application?

 

 

Thanks,

Rakesh Kumar

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎05-16-2019 08:46 AM

@raksec wrote:

 

1. G-Suite SSO integration with ISE: The ISE document says, it supports SAML for the following portals: Guest, Sponsor, My Device, Certificate provisioning. Though, G-suite is not in the tested list yet, is this integration possible? If yes, can we do it for internal users?

JAK> if it works with 1 portal it should work with all as they are part of SAML support, we are not going to test all vendors

 

a) Additionally, ISE supports SSO for Guest and Sponsor users. SSO for Sponsor users makes sense to me but what's the use case of having SSO for Guest users? Guest users are not in AD, they are not supposed to access any internal applications, then what's the point of doing SSO for Guest users?

JAK> for customers using webauth for contractors or employees that don't want to do dot1x. we have enterprises doing this, perhaps for internet only access from their personal devices is an example

They are Central web auth (CWA) portals not guest portals per say and can be used many ways

 

b) I am trying to understand the SSO flow here and trying to relate it to the use case for internal users. In SAML, ISE acts as a Service Provider. So if we do it for Guest users and once the Guest is authenticated by ID Provider and SSO is done, do ISE open the access for the rest of the internal HTTP/HTTPS applications? Or it does SSO only for Guest portal and not any other application?

JAK> you can decide how to open access depending on your authorizaiton polices and segmentation strategy, the flow is not what does the controls. its the access controls you attach to them

 

 

View solution in original post

6 Replies 6

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎05-16-2019 05:12 AM

Can you please separate out your device administration into another post so we can concentrate on smaller items. You can go in and edit your original post
0 Helpful

Go to solution
raksec
Cisco Employee
Cisco Employee
In response to Jason Kunst

‎05-16-2019 05:19 AM

Thanks Jason, created another one for device admin.

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎05-16-2019 08:46 AM

@raksec wrote:

 

1. G-Suite SSO integration with ISE: The ISE document says, it supports SAML for the following portals: Guest, Sponsor, My Device, Certificate provisioning. Though, G-suite is not in the tested list yet, is this integration possible? If yes, can we do it for internal users?

JAK> if it works with 1 portal it should work with all as they are part of SAML support, we are not going to test all vendors

 

a) Additionally, ISE supports SSO for Guest and Sponsor users. SSO for Sponsor users makes sense to me but what's the use case of having SSO for Guest users? Guest users are not in AD, they are not supposed to access any internal applications, then what's the point of doing SSO for Guest users?

JAK> for customers using webauth for contractors or employees that don't want to do dot1x. we have enterprises doing this, perhaps for internet only access from their personal devices is an example

They are Central web auth (CWA) portals not guest portals per say and can be used many ways

 

b) I am trying to understand the SSO flow here and trying to relate it to the use case for internal users. In SAML, ISE acts as a Service Provider. So if we do it for Guest users and once the Guest is authenticated by ID Provider and SSO is done, do ISE open the access for the rest of the internal HTTP/HTTPS applications? Or it does SSO only for Guest portal and not any other application?

JAK> you can decide how to open access depending on your authorizaiton polices and segmentation strategy, the flow is not what does the controls. its the access controls you attach to them

 

 

Go to solution
raksec
Cisco Employee
Cisco Employee
In response to Jason Kunst

‎05-16-2019 10:08 PM

Thanks Jason.

 

I was looking for a use case to authenticate internal users with SSO through guest portal.

 

For instance, we configure the guest portal for SAML to authenticate employees. Once the user authenticates to the guest portal, user will be redirected to IDP login page. User enters the login credentials and ISE receives the secure token from IDP. Now user tries to access an internal application. If the application is configured to authenticate users so ISE would play a role and user would not need to re-enter the login credentials.

 

And I think that's not possible because ISE is a service provider in SSO scenario.

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to raksec

‎05-17-2019 04:12 AM

ISE SAML integration is exactly that for employees or contractors connected with the SAML solution. You login to any portal on ise (accept for the admin) or anything in your organization that uses SAML, now that you have a token you can move to other internal web resources and not be prompted for authentication until that token times out.

ISE is not an IDP. Those would be duo ping etc
Our integration Resources are listed here but not limited to them:
Any provider as long as they support saml 2.0
https://community.cisco.com/t5/security-documents/ise-guest-amp-web-authentication/ta-p/3657224#toc-hId-1419293880

Cisco saml provider includes DUO
0 Helpful

Go to solution
RajeewPerera
Level 1
Level 1

‎04-03-2025 06:33 PM

Hi Team

Looking out for a updated document for Google Workspace and ISE integration for .1x Authentication. My Customer Requirement is to Authenticate via client device hostname, that's configuered in  Google Workspace user profile.

Many Thanks

Rajeew

 

 

0 Helpful
Customers Also Viewed These Support Documents