Re: User Role Mappings -> FMC with SAML login (ADFS)

petter.miller · ‎11-14-2023

Hi!

Has anyone successfully setup Firepower Management Center with SSO (SAML with ADFS) together with Group Role Mapping? If so, do you have any good guide or other reference material? Have tried to figure it all out using cisco documentation but has been unsuccessful.

I've managed to successfully authenticate users using ADFS but I can't get the role mapping to work. Have tried to use "Group Member Attribute = role" but don't get any matches. Every user falls back to "Default User Role".

Thanks!

mobartz · ‎08-08-2024

Petter and anyone else who might stumble across this. I had to create a custom transform rule to make this work. Three total rules on ADFS side:

1 - Send LDAP Attributes as Claims - E-Mail-Addresses --> E-Mail Address
2 - Transform an Incoming Claim - E-mail Address --> Name ID with Email format
3 - This custom rule:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("UserRole"), query = ";tokenGroups;{0}", param = c.Value);

That sends all of the user's groups to the FMC. I also created a specific access control policy so that only users in the FMC admin or read-only groups could authenticate at all.

On the FMC side, Group Member Attribute is set to UserRole. Then I matched the names of the AD groups that I'm using for Administrator and Security Analyst (Read Only). Users in those groups get those roles. Any other users should never get to the FMC because they are stopped by ADFS.

I hope that helps someone who needs this too.