Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
469
Views
0
Helpful
2
Replies

ISE SSO Configuration

TaureanThurston51396
Level 1
Level 1

‎11-22-2024 07:20 PM

Hey Guys,

I have three Cisco ISE nodes set up in a distributed deployment (1 PAN, 1 PSN, & 1 MnT). 

I'm trying to implement SSO on these nodes and coming across a barrier that I just can't seem to solve at the very last step of the process.....

On the main log-in screen, once the "Log In with SAML" option is clicked on the PAN, I'm automatically redirected to the PSN where Microsoft then prompts me to enter my network credentials.  

After keying that information in, Microsoft Authenticator then kicks in where a one-time passcode is sent to my phone and I input that data as well.

But instead of logging me in and taking me to the Dashboard console, it just loops and carries me right back to the main log-in screen on the PAN & MnT GUI.

On the PSN, however, it gives me an "Access Denied" on the GUI.

I've used this link as my source:

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/217342-configure-ise-3-1-ise-gui-admin-login-fl.html (Configure ISE 3.1 Admin Log in Flow via SAML SSO with Azure AD)

Any comments/tips/feedback would be GREATLY appreciated!

0 Helpful
2 Replies 2

balaji.bandi
Hall of Fame
Hall of Fame

‎11-23-2024 12:08 AM

have you looked at the troubleshoot logs mentioned in the document to see any clue or direction ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

TaureanThurston51396
Level 1
Level 1
In response to balaji.bandi

‎11-27-2024 05:58 AM

Yes, so here's an update on this issue....

I found this document here: https://community.cisco.com/t5/network-access-control/cisco-ise-multiple-portals-login-via-azure-ad-saml/td-p/4900812

After implementing what Greg had advised to do, SSO "worked", but it only did so on the PAN. The PSN and MnT nodes in my deployment were getting an "Access Denied" error when the SSO functionality should be seamless across the board.

I then synced the PSN and MnT nodes to the PAN, but right after I did that, I am now getting an "Access Denied" on the PAN as well. I also did notice the following debug lines on the PAN:

2024-11-26 13:12:38,780 INFO [admin-http-pool31][[]] cpm.admin.infra.action.LoginAction -:::::- Login action:: SAML group name is null, hence SAML Administrator authentication failed
2024-11-26 13:12:38,781 INFO [admin-http-pool31][[]] cpm.admin.infra.action.LoginActionResultHandler -:::::- Redirected to: /admin/login.jsp?mid=access_denied

At the same time, I am confident that the Group Object ID that's provided in Azure is tied to the Super Admin profile in the ISE GUI. 
It looks like Azure isn't passing the claim so that the claim is being referenced (???)

Any further help/insight would be greatly appreciated.

0 Helpful
Customers Also Viewed These Support Documents