Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
452
Views
2
Helpful
10
Replies

Remote Access: Realm "Discovered Identities" using SAML

Go to solution
t1m1
Level 1
Level 1

‎07-03-2025 06:14 AM

Hello,

I have set up a FTD managed by cdFMC for remote access VPN. 
For authentication I use SAML with Azure AD as an IdP. The authentication itself is working fine, but the user identity of the session viewed in FMC has "Discovered Identities" as it's realm. 
I also have an AD Realm with LDAP configured in the FMC and it is also used as authorisation for Group Policy assignement.
An AzureAD Realm is also configured. And using ISE is not an option for me. 

When using radius I get "AD-Realm\username" but using SAML I just get "Discovered Identities\username".
I want to use the user identity for the ACL. 

What am I missing to fix this? 

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
t1m1
Level 1
Level 1
In response to MHM Cisco World

‎07-07-2025 06:41 AM

The "Remote Access Remark" slide gave me the right hint to make it work.
The "SAML - Azure AD" realm is probably useless, but I could link it to the AD/LDAP realm 

I had to change the Unique User Identifier in the SAML claims to the username@<AD.local> with join() transformation.
Now the FMC links the SAML session to my on-prem AD.

I hope it would be possible to link it to the "Azure AD" realm in the future to capsulate it from the on-prem AD. 
This works for now. But I won't give up on "Azure AD" realm yet. 

View solution in original post

10 Replies 10

Go to solution
Aref Alsouqi
VIP
VIP

‎07-03-2025 07:31 AM

Please bear with me on this. I think the reason why it's showing as "discovered identities" with SAML is because the FMC would have direct visibility of the users context in this case, and their contexts get passed from a third-party, Azure in this case. If memory serves, that was the case with the old Firepower agent. On the other side with LDAP realm configured on the FMC, the queries will be directly done by the FMC to the AD. In that case there is no broker for the FMC to get those contexts. Either way you should still be able to configure the rules with the user IDs I assume.

0 Helpful

Go to solution
t1m1
Level 1
Level 1
In response to Aref Alsouqi

‎07-07-2025 02:43 AM

I have the Azure AD realm added into the FMC. It can download the users and groups. But when loging in with RA-VPN the user isn't liked to the realm for ACLs.
The realm has two options. I try to use Authenticate with [...] RA-VPN:

t1m1_0-1751881131914.png

Offical documentaition only refers to ISE. No documentaion for SAML realm for RA-VPN.
I don't know why it is stated in the realm configuration if it would not be possible. 

Is it even possible? And if so, how do I need to configure it?

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎07-06-2025 09:18 AM

Do you use mapping of SAML attribute to group-policy ?

MHM

0 Helpful

Go to solution
t1m1
Level 1
Level 1
In response to MHM Cisco World

‎07-06-2025 11:10 PM

Currently this is done with LDAP on the AD. 
SAML is just for authentication, and it can't be applyed for authorisation. 
But even with this setup the FMC doesn't recognize the realm of SAML. Even if the realm is added to the FMC.
I suppose it deasn't ment to work like this. But I don't want to give up yet. That's the reason of this post. 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to t1m1

‎07-07-2025 03:05 AM

Sure it not recognize SAML realm because there is nothing like this.

I will check group-policy using SAML and update you

Goodluck abd thanks for waiting 

MHM

0 Helpful

Go to solution
t1m1
Level 1
Level 1
In response to MHM Cisco World

‎07-07-2025 04:45 AM

My problem is not the group policy assignment. The problem is the user identity.
The FMC knows the users from "SAML - Azure AD" realm and the users are authenticated by the same SAML IdP. Yet somehow it won't link the users to the realm for ACLs. 

When I login via SAML SSO I get this for my user activity:

t1m1_0-1751887976037.png

The SAML - Azure AD realm is setup withn this type:

t1m1_1-1751888140945.png

And user are loging in like this "username@example.com" . I can't add the realm to the SSO-server object like I can do with radius. 
Is there a SAML attribute missing that states the realm of the users or why doesn't it link the users to the realm? 

0 Helpful

Go to solution
t1m1
Level 1
Level 1
In response to MHM Cisco World

‎07-07-2025 06:41 AM

The "Remote Access Remark" slide gave me the right hint to make it work.
The "SAML - Azure AD" realm is probably useless, but I could link it to the AD/LDAP realm 

I had to change the Unique User Identifier in the SAML claims to the username@<AD.local> with join() transformation.
Now the FMC links the SAML session to my on-prem AD.

I hope it would be possible to link it to the "Azure AD" realm in the future to capsulate it from the on-prem AD. 
This works for now. But I won't give up on "Azure AD" realm yet. 

Go to solution
MHM Cisco World
VIP
VIP
In response to t1m1

‎07-07-2025 06:45 AM

We as group of community try do best to help each other 

Happy issue is solved finally 

Have a nice day 

MHM

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card