Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3058
Views
30
Helpful
5
Replies

Ise Guest Portal and azure SSO

Xeladona
Level 1
Level 1

‎09-22-2021 01:38 AM - edited ‎09-28-2021 01:38 PM

Hi Guys,

 

i have configured a suest porta integrated with aziure SSO.

I followed this link:

 

https://community.cisco.com/t5/security-documents/ise-byod-flow-using-azure-ad/ta-p/4400675

 

if i test from portal test it looks like working fine but if i try from a PC i'm rediretted to azure login page and after succesful login i'm rediretced to ise page:

https://ISE/8443/portal/SSOLoginResponse.action and i get an HTML page (i have two ise...)

 

 

<HTML>
<HEAD>

<TITLE>Access rights validated</TITLE>
</HEAD>
<BODY onLoad="document.forms[0].submit()">
<FORM METHOD="POST" ACTION="https://ISE:8443/portal/SSOLoginResponse.action">
<INPUT TYPE="HIDDEN" NAME="SAMLResponse" VALUE="PHNhbWxwOlJlc3BvbnNlIElEPSJfNzlkNjZmMzctMmIwOS00NDU5LWJhYTAtMWQ5NWU3NzE4NDRhIiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAyMS0wOS0yMlQwNzozNToyNy4wMzdaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9jcC1pc2UuaW50LmdlZGkuaXQ6ODQ0My9wb3J0YWwvU1NPTG9naW5SZXNwb25zZS5hY3Rpb24iIEluUmVzcG9uc2VUbz0iX2M4NzkzYjc3LWMxOGMtNDg3YS1hNzFiLTVjMDI1ZmQ1YTgxZV9ERUxJTUlURVJwb3J0YWxJZF9FUVVBTFNjODc5M2I3Ny1jMThjLTQ4N2EtYTcxYi01YzAyNWZkNWE4MWVfU0VNSXBvcnRhbFNlc3Npb25JZF9FUVVBTFMwMDRlMmMyMC1mZjNhLTQwNGItYmMyNS03NGY0MjZmZmFlNmVfU0VNSXRva2VuX0VRVUFMU0xST1JaVDJaRVA2TENRNFpKSzdLRk5aUjRVOU5NVThJX1NFTUlyYWRpdXNTZXNzaW9uSWRfRVFVQUxTNUI2OUZBMEEwMDAwMEM3NjBDNkU0NUE2X1NFTUlfREVMSU1JVEVSY3AtaXNlLmludC5nZWRpLml0IiB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIj48SXNzdWVyIHhtbG5zPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5odHRwczovL3N0cy53aW5kb3dzLm5ldC9hYTMyMmNjNi0wZTQzLTQ4MWUtOGI5Zi0xYTAwMmVkNmRhNGUvPC9Jc3N1ZXI+PHNhbWxwOlN0YXR1cz48c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8+PC9zYW1scDpTdGF0dXM+PEFzc2VydGlvbiBJRD0iX2Q5MWI4ZWE4LWEyNGUtNGM2My1hMjVkLWI1MjU1NTYxMGUwMCIgSXNzdWVJbnN0YW50PSIyMDIxLTA5LTIyVDA3OjM1OjI3LjAyMloiIFZlcnNpb249IjIuMCIgeG1sbnM9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPjxJc3N1ZXI+aHR0cHM6Ly9zdHMud2luZG93cy5uZXQvYWEzMjJjYzYtMGU0My00ODFlLThiOWYtMWEwMDJlZDZkYTRlLzwvSXNzdWVyPjxTaWduYXR1cmUgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxTaWduZWRJbmZvPjxDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+PFNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZHNpZy1tb3JlI3JzYS1zaGEyNTYiLz48UmVmZXJlbmNlIFVSST0iI19kOTFiOGVhOC1hMjRlLTRjNjMtYTI1ZC1iNTI1NTU2MTBlMDAiPjxUcmFuc2Zvcm1zPjxUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPjxUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48L1RyYW5zZm9ybXM+PERpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jI3NoYTI1NiIvPjxEaWdlc3RWYWx1ZT56NUxuaUp2R2pKSndXMkdvbUlKN0l5Wm9sQ1lKdStIbXVGUXpDRmptZmNrPTwvRGlnZXN0VmFsdWU+PC9SZWZlcmVuY2U+PC9TaWduZWRJbmZvPjxTaWduYXR1cmVWYWx1ZT5iUkEwb2s0cHMwOEdmUmZOZUZGbStuS2R3YUNDWVFETlg2NThIV0liaHZtM3l3QW1IS0M5c080ZlZ6dTg4QTdyWkZ1eHNxMzhMeEllVWYxdW5Ga2RPcmU5bkVXc2htMEdPUUp3ekRmTDk3TnpWUWdzdE11WTNDODVaZXBUWWtQNFV3ZEZJVlRpYVJTak85NE9oRlJ2ZmxibjY1bkoxRG9sbzFNVE5hWlJqR0ZEbkpGZGZXdWFvRUdrVnFNZUE1bUVlL3NTNldqMkJKY2s4NTdHVmc0RDhWbUdtTmgvbnFuaDh5a3I3aDl6cGp5dmNieDZ4cUp0eCtnUDk5NmRCa0ZYYkdaKzB5TDFPWWlsQjJOWkczZEVzeTdKOXNrN2pId1RoUWVJbnAvc0hpendMSnlJWSt3V1NhdWptR3NGU0RWVkRGZEdXdzJpRXUzVE1TeWFuQytnY0E9PTwvU2lnbmF0dXJlVmFsdWU+PEtleUluZm8+PFg1MDlEYXRhPjxYNTA5Q2VydGlmaWNhdGU+TUlJQzhEQ0NBZGlnQXdJQkFnSVFLWWRmZERjanJxaEFOQVNpNjVNOUV6QU5CZ2txaGtpRzl3MEJBUXNGQURBME1USXdNQVlEVlFRREV5bE5hV055YjNOdlpuUWdRWHAxY21VZ1JtVmtaWEpoZEdWa0lGTlRUeUJEWlhKMGFXWnBZMkYwWlRBZUZ3MHlNVEE1TWpBeE16QTNNVFJhRncweU5EQTVNakF4TXpBM01UUmFNRFF4TWpBd0JnTlZCQU1US1UxcFkzSnZjMjltZENCQmVuVnlaU0JHWldSbGNtRjBaV1FnVTFOUElFTmxjblJwWm1sallYUmxNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXp2Uk1HMXRyV2tLRjhoV3krWTdnZUxBTjI5OEFIcmtBK2xhWklTZDErSzc0ejFSRGwyU04yejFXUy9Fek5Da2kzUzN6RW5SbzA2eWdFWCtMQ1BNRTZTMHo1eEVJVDFNRTFpcUZreFQyNWVVZFRpWFlEdksvWDF3aGR6Z0c2aXlyQllZQVhVNlJlVWk1ZVRlMWRhVGowOHRLbUpVUlFJRGYvU1c4c0VQdFhMUVl1TVdyNVNLTFBEZVBXTnRPZTFLWXVPN29JdUtZWi8zRWxML1lQQ0pjWUxLOThITGR3TEVtU05jdnh5cEJXc1dBNVZEcHEzaEcrWS9HYXdYMm9icmJmSE1tNHdXTEFUQ0Z0Z3NYRzVjM2wrQjA2VkpIbWc0K3J3NVJGQTN4Tkp5T3JTSDRPQU9KRko0ZmtEcmdodTZGTXpLYmg5MVVDYVRtUVZMT00xUzRzUUlEQVFBQk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQ0poQ2xQMkMxOUdmRmorRlovbTdNbDlKSmxrd0VrQ05IeG92NE9JN2lnRUNwdlcxSVpBMnFQUE1WZUNiZ01JbjB3MGwrSndjRzh1NFZjSEFEZzdwQlA5Nkk5cGUvTUNTL2NMenh4cDIwaE5NajJuYlB1ZDI4U3dvWGVHcnROU2I3ZFRkWFBPL3N5SmlFMmhtNWdmQnRvcjM4aGlyMTgvWStQWjFlb2RyTnEwSE1Ra3kwdWV2bW8yUklmWm01OW9LNHNhYjhHZVhVbUdNZTJnM2Q5THN2bUI4UExNaHRwU1l0Ym1qYXAwazZnaWl5MXRKRWZWVGVZNE9CSld0Slh1WFFWU1dUNVJvU1o5RGd1SEhjbkRxU1BwMmNZUTVzMld6aGd5Y3hZR2JxZWdJTGEwS1NtNEtjUVJnQ3N0RFEvQm9UckVFNXBVNXJNUFQ3dm1BM2QwNnhRPC9YNTA5Q2VydGlmaWNhdGU+PC9YNTA5RGF0YT48L0tleUluZm8+PC9TaWduYXR1cmU+PFN1YmplY3Q+PE5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OmVtYWlsQWRkcmVzcyI+dXRlbnRlaXNlQGdlZGlzcGEub25taWNyb3NvZnQuY29tPC9OYW1lSUQ+PFN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgSW5SZXNwb25zZVRvPSJfYzg3OTNiNzctYzE4Yy00ODdhLWE3MWItNWMwMjVmZDVhODFlX0RFTElNSVRFUnBvcnRhbElkX0VRVUFMU2M4NzkzYjc3LWMxOGMtNDg3YS1hNzFiLTVjMDI1ZmQ1YTgxZV9TRU1JcG9ydGFsU2Vzc2lvbklkX0VRVUFMUzAwNGUyYzIwLWZmM2EtNDA0Yi1iYzI1LTc0ZjQyNmZmYWU2ZV9TRU1JdG9rZW5fRVFVQUxTTFJPUlpUMlpFUDZMQ1E0WkpLN0tGTlpSNFU5Tk1VOElfU0VNSXJhZGl1c1Nlc3Npb25JZF9FUVVBTFM1QjY5RkEwQTAwMDAwQzc2MEM2RTQ1QTZfU0VNSV9ERUxJTUlURVJjcC1pc2UuaW50LmdlZGkuaXQiIE5vdE9uT3JBZnRlcj0iMjAyMS0wOS0yMlQwODozNToyNi44OTdaIiBSZWNpcGllbnQ9Imh0dHBzOi8vY3AtaXNlLmludC5nZWRpLml0Ojg0NDMvcG9ydGFsL1NTT0xvZ2luUmVzcG9uc2UuYWN0aW9uIi8+PC9TdWJqZWN0Q29uZmlybWF0aW9uPjwvU3ViamVjdD48Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMjEtMDktMjJUMDc6MzA6MjYuODk3WiIgTm90T25PckFmdGVyPSIyMDIxLTA5LTIyVDA4OjM1OjI2Ljg5N1oiPjxBdWRpZW5jZVJlc3RyaWN0aW9uPjxBdWRpZW5jZT5odHRwOi8vQ2lzY29JU0UvYzg3OTNiNzctYzE4Yy00ODdhLWE3MWItNWMwMjVmZDVhODFlPC9BdWRpZW5jZT48L0F1ZGllbmNlUmVzdHJpY3Rpb24+PC9Db25kaXRpb25zPjxBdHRyaWJ1dGVTdGF0ZW1lbnQ+PEF0dHJpYnV0ZSBOYW1lPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL2lkZW50aXR5L2NsYWltcy90ZW5hbnRpZCI+PEF0dHJpYnV0ZVZhbHVlPmFhMzIyY2M2LTBlNDMtNDgxZS04YjlmLTFhMDAyZWQ2ZGE0ZTwvQXR0cmlidXRlVmFsdWU+PC9BdHRyaWJ1dGU+PEF0dHJpYnV0ZSBOYW1lPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL2lkZW50aXR5L2NsYWltcy9vYmplY3RpZGVudGlmaWVyIj48QXR0cmlidXRlVmFsdWU+YWQyMjk5ODgtNjRiOS00YjAwLWJhN2YtMDUyMmNmMTRhOTkyPC9BdHRyaWJ1dGVWYWx1ZT48L0F0dHJpYnV0ZT48QXR0cmlidXRlIE5hbWU9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vaWRlbnRpdHkvY2xhaW1zL2Rpc3BsYXluYW1lIj48QXR0cmlidXRlVmFsdWU+VXRlbnRlIElzZTwvQXR0cmlidXRlVmFsdWU+PC9BdHRyaWJ1dGU+PEF0dHJpYnV0ZSBOYW1lPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dzLzIwMDgvMDYvaWRlbnRpdHkvY2xhaW1zL2dyb3VwcyI+PEF0dHJpYnV0ZVZhbHVlPjA0ZWJiNzFjLWM4ZDQtNDFiNS05ZmIxLWYzYjM5YzU0MzFkODwvQXR0cmlidXRlVmFsdWU+PC9BdHRyaWJ1dGU+PEF0dHJpYnV0ZSBOYW1lPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL2lkZW50aXR5L2NsYWltcy9pZGVudGl0eXByb3ZpZGVyIj48QXR0cmlidXRlVmFsdWU+aHR0cHM6Ly9zdHMud2luZG93cy5uZXQvYWEzMjJjYzYtMGU0My00ODFlLThiOWYtMWEwMDJlZDZkYTRlLzwvQXR0cmlidXRlVmFsdWU+PC9BdHRyaWJ1dGU+PEF0dHJpYnV0ZSBOYW1lPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL2NsYWltcy9wOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9zdXJuYW1lIj48QXR0cmlidXRlVmFsdWU+SXNlPC9BdHRyaWJ1dGVWYWx1ZT48L0F0dHJpYnV0ZT48QXR0cmlidXRlIE5hbWU9Imh0dHA6Ly9zY2hlbWFzLnhtbHNvYXAub3JnL3dzLzIwMDUvMDUvaWRlbnRpdHkvY2xhaW1zL25hbWUiPjxBdHRyaWJ1dGVWYWx1ZT51dGVudGVpc2VAZ2VkaXNwYS5vbm1pY3Jvc29mdC5jb208L0F0dHJpYnV0ZVZhbHVlPjwvQXR0cmlidXRlPjwvQXR0cmlidXRlU3RhdGVtZW50PjxBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMjEtMDktMjFUMTI6NTc6NDEuODg4WiIgU2Vzc2lvbkluZGV4PSJfZDkxYjhlYTgtYTI0ZS00YzYzLWEyNWQtYjUyNTU1NjEwZTAwIj48QXV0aG5Db250ZXh0PjxBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZDwvQXV0aG5Db250ZXh0Q2xhc3NSZWY+PC9BdXRobkNvbnRleHQ+PC9BdXRoblN0YXRlbWVudD48L0Fzc2VydGlvbj48L3NhbWxwOlJlc3BvbnNlPg==">
<INPUT TYPE="HIDDEN" NAME="RelayState" VALUE="_c8793b77-c18c-487a-a71b-5c025fd5a81e_DELIMITERportalId_EQUALSc8793b77-c18c-487a-a71b-5c025fd5a81e_SEMIportalSessionId_EQUALS004e2c20-ff3a-404b-bc25-74f426ffae6e_SEMItoken_EQUALSLRORZT2ZEP6LCQ4ZJK7KFNZR4U9NMU8I_SEMIradiusSessionId_EQUALS5B69FA0A00000C760C6E45A6_SEMI_DELIMITERcp-ise.int.xxx.it">
<NOSCRIPT><CENTER>
<INPUT TYPE="SUBMIT" VALUE="Submit SAMLRequest data"/></CENTER></NOSCRIPT>
</FORM></BODY></HTML>

 

any tips to solve yhis issue?

Labels:
5 Replies 5

marce1000
VIP
VIP

‎09-22-2021 04:48 AM

 

 - What's you ISE-version ?

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

Xeladona
Level 1
Level 1
In response to marce1000

‎09-22-2021 05:00 AM

Ise 3.0 patch 2

 

It look like browser does not send to ise the SSO response

Because the body of the html code i posted looks like to be azure repsonse the browser should send to ise

 

Greg Gibbs
Cisco Employee
Cisco Employee
In response to Xeladona

‎09-22-2021 03:32 PM

The client browser does not send any response to ISE. The communication happens between ISE and AzureAD via SAML/OAuth. There is not enough information here to provide much meaningful help. It's possible the session is stuck in a redirect loop, but we would need much more information about your setup (ISE architecture diagrams, flow diagrams for what you're trying to achieve, screenshots of your policies, debug logs, packet captures, etc.).

If it gets the point of examining packet captures and debug logs, you might be better off opening a TAC case to investigate.

Xeladona
Level 1
Level 1
In response to Greg Gibbs

‎09-22-2021 04:11 PM

Hi Greg,

 

first of all thank you for your kindly reply.

I do not completly agree when you say "The communication happens between ISE and AzureAD via SAML/OAuth" (browser shoudl relay assertion from Azure to ISE) but problay you are right(azure works in a different way).

Probably TAC colud help us

again many many thx

Regards

 

 

 

Xeladona
Level 1
Level 1

‎09-29-2021 07:01 AM

Hi Guys,

 

TAC confirmed it is a BUG CSCvy81435

Soon i'm going to patch ISE (new release reòeased today) and will let you know about this issue

Bye

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents