Solved: ISE and ADFS

Hagen Winck · ‎03-07-2017

Hi,

I'm wondering about all these cloud services out there dealing with AD federations to provide users / companies with easy access and SSO functionality. I appreciate all work on ISE features like SAML support - however, are there any thoughts how to deal with ADFS?

Thanks,

Hagen

Jimmy Symoens · ‎03-07-2017

Hi Hagen,

although it is not very well documented, SAMLv2-compliant IdPs are actually supported.

I have a customer running sponsor SSO via ADFS (although it took a month working with TAC to figure some stuff out).

As long as your ADFS deployment is v2, you should be able to leverage SSO functionality.

The key is mapping the correct attributes to ISE. It would be very cool if someone from Cisco could actually provide a list of the supported attributes and their exact name/function within ISE. This would facilitate mapping between systems.

It could be nice if we can get network logon information TO an SSO server; maybe PxGrid in the future?

Then again, use cases for this are pretty limited imo.

HTH,

Jimmy

View solution in original post

Jimmy Symoens · ‎03-07-2017

Hi Hagen,

although it is not very well documented, SAMLv2-compliant IdPs are actually supported.

I have a customer running sponsor SSO via ADFS (although it took a month working with TAC to figure some stuff out).

As long as your ADFS deployment is v2, you should be able to leverage SSO functionality.

The key is mapping the correct attributes to ISE. It would be very cool if someone from Cisco could actually provide a list of the supported attributes and their exact name/function within ISE. This would facilitate mapping between systems.

It could be nice if we can get network logon information TO an SSO server; maybe PxGrid in the future?

Then again, use cases for this are pretty limited imo.

HTH,

Jimmy

Hagen Winck · ‎03-07-2017

Hi Jimmy,

very helpful. Let me explain my understanding of typical SAML flow with target SSO:

ISE asks and receives a security assertion from ldP. ISE will be able for policy decisions based on response of ldP (if ISE understands the sent attributes correctly). User should not be prompted for login details as long the security assertion is held by ldP.

In ISE environment this works only when user is reaching out to sponsor, guest ...portals hosted on ISE.

The flow in regards to cloud services seems different: there is a user reaching out to "box.com" and to baseline security assertion the login is redirected to ADFS. User authenticates against corporate AD, gets access and gets access to "box.com" furthermore, not prompted for creds again.

How could ISE being introduced here?

Thanks,

Hagen

Jimmy Symoens · ‎03-07-2017

Maybe you could get more context info with Passive-ID, assuming that there is no network-based logon through ISE.

If it is an AD-based auth from the cloud service, Passive-ID will normally be able to get you some user context, but this is just a theory at the moment. Not sure if this will be picked up by the AD agent.

I could be wrong, but I don't think it works with ADFS natively.

Not sure what ISE would do with this info though.

Keep in mind what ISE is set out to do.

ISE is still a RADIUS server at the heart. If a user authenticates to box.com, I kind of have to assume network connectivity is already established.

ISE will indeed be able to use the SAML assertions for its own portals. It is the IdP that keeps track of these assertions...

Can you elaborate on a use case to make sure I understand correctly?

Hagen Winck · ‎03-07-2017

Yes you are right, ISE comes from the corporate NAC side - different to the cloud side. I will work on use case, shortly will have a confcall with dropbox and customer, hope this will shed some light...