Solved: Passive ID Mapping and SAML SSO

ccotting · ‎09-14-2016

Looking for some input on a use case we’re attempting configure.

Use Case:

Auth device via endpoint cert = permit and redirect to IdP for user auth

User auth successful = permit and apply dacl per AD group mapping

Problem: IdP is home grown, only able to pass back the user ID and email address in the assertion

Question: Understanding passive ID has a restriction of CWA not being supported, since we are doing machine auth via the certificate, are we able to do the following:

Auth Z

Use case = guest flow = permit (reauth occurs) - COA reauth result

CWA auth’d & posture unknown = posture

Posture=compliant & passiveid=ad group x then dacl

Machine in AD group X = permit, redirect to SSO for auth

hslai · ‎09-14-2016

Passive ID in ISE 2.1 is not vetted for DOT1X so might not work well with machine auth.

View solution in original post

hslai · ‎09-14-2016

Passive ID in ISE 2.1 is not vetted for DOT1X so might not work well with machine auth.

Jason Kunst · ‎09-14-2016

What about Machine cert + CWA?

Passive ID Mapping and SAML SSO

AnyConnect: Azure AD SAML SSO

Quick Guide:Configuring SSO in ThousandEyes with MS Entra and SAML JIT

Updated SAML Certificate Web Security and ZTA is now available

Anyconnect VPN SAML SSO with Azure IdP, Multi-Tunnel Groups

SAML Certificate for SWG User Identity Expiring May 13, 2025