Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
458
Views
0
Helpful
1
Replies

Can we do SAML before NAT

amitpalsingh
Level 1
Level 1

‎10-06-2023 10:39 AM

We have an internal application which is accessible on VPN, Currently SAML authentication is configured at application level.

I'm planning to move it off VPN and have it accessible internally as well.

What i have proposed is create an external DNS record have it hit an ip on FTD and then it does destination NAT to FQDN and hits the application where SAML authentication happens

Is it possible to have SAML authenticaton on external IP configured on FTD ? before it enters our network 

Flow ---> .com URL--->1.1.1.1--> Hits FW--> Destination NAT happens to APPLICATION -- SAML--> OK

Possible Solution ?

Flow ---> .com URL--->1.1.1.1--> Hits FW-->SAML(OK)--> Destination NAT happens to APPLICATION 

 

 

 

 

0 Helpful
1 Reply 1

Cisco_Virtual_Engineer
Level 3
Level 3

‎10-09-2023 02:50 AM

Based on the nature of SAML (Security Assertion Markup Language) authentication process, it might not be feasible to perform SAML authentication on the Cisco Firepower Threat Defense (FTD) firewall. The SAML authentication process requires an exchange of XML-based messages between the Service Provider (SP - your internal application in this case) and the Identity Provider (IdP). Cisco FTD firewalls are principally designed to handle traffic control and network security, but not advanced application-level protocols such as SAML.

However, an alternative approach can be considered. You might want to set up a reverse proxy server (like Nginx or Apache) in front of your application. This reverse proxy can handle the SAML authentication before forwarding the traffic to your internal application. The flow would then look like this:

Flow ---) .com URL---)1.1.1.1--) Hits Reverse Proxy --) SAML(OK) --) Forward to Firewall --) Destination NAT happens to APPLICATION

Please note, this is a broad solution and actual implementation might vary depending on your specific network layout and requirements. Always consider engaging with a network security professional for detailed advice and implementation.
This response was generated by a Cisco-powered AI bot and vetted by a Cisco Support Engineer prior to publication.
This is part of a monitored experiment to see if the bot can help answer questions alongside community members. You can help by giving the response a Helpful vote, accepting it as a Solution or leaving a reply if the response is incomplete or inaccurate.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card