07-30-2018 11:37 AM - edited 03-11-2019 01:47 AM
Team,
We have a situation where a SAML/Shibboleth server was moved to AWS, while ISE is still on the internal network. This has caused a situation where ISE is rejecting the authentication of some clients based on the way they connect to the network, because Shibboleth sees a different IP address for the client than ISE does.
Is there a way to turn this IP check off in ISE?
2018-07-30 10:29:09,246 DEBUG [http-bio-172.16.253.240-8448-exec-3][] cpm.saml.framework.impl.SAMLFacadeImpl -::::- AuthenticatePortalUser - Session:null IDPResponse:
IdP ID: SAMLConfig
SAML Status Code:urn:oasis:names:tc:SAML:2.0:status:Success
SAML Success:false
SAML Status Message:null
SAML email:
SAML Exception:Subject Confirmation Data address 150.135.165.24 does match client address 150.135.112.40
07-30-2018 01:41 PM
From my understanding, the saml2:SubjectConfirmationData in a SAML response from the IdP should be validated by the service provider. I do not think ISE has an option for this while ISE portals has tested OK with cloud-based IdPs, such as Azure AD, PingOne, and Okta.
From Exception when interworking between Shibboleth IDP and Geneva Beta 2, it seems ADFS 2.0 did ignore the IP address as no one able to make Shibboleth stop sending the IP address in the SubjectConfirmationData. Thus, you might consider to ask for an enhancement in ISE.
I will check with our engineering and update.
Meanwhile, I guess you would have to find a way to make the same IP address shown from the client browser to ISE and to Shibboleth. Use other interfaces on ISE, maybe?
07-30-2018 01:50 PM
>>Use other interfaces on ISE, maybe?
The problem is the customer wants to make MyDevices accessible only internally accessible (10.132.X.X) or via VPN (150.135.112.X), but Shibboleth server is now in AWS so all users get NAT'd to 150.135.165.X. The extra ISE interface would have to be on the other side of the NAT and have a public IP, then ACLs FW rules to only let internal users hit it... It might be easier to just keep one Shibboleth on prem for this purpose.
The request from the Shibboleth team was to see if ISE could stop doing the IP check, sounds like the answer to that is no... So we can evaluate other options.
Thanks.
07-30-2018 02:03 PM
Why not site-to-site VPN to AWS so that Shibboleth acting as if on-prem?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide