Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
729
Views
3
Helpful
2
Comments

Support for multiple IDP identity provisioning in Secure Access

sumshesh
Cisco Employee
Cisco Employee

on ‎11-25-2024 05:35 AM

We are pleased to announce the General Availability of a new feature that supports provisioning identities from multiple Identity Providers (IDPs) Microsoft Entra ID and Okta. This feature allows administrators to provision users from IDPs Entra ID and Okta and authenticate them accordingly. This feature is particularly beneficial for large enterprises, such as financial organizations, that frequently undergo mergers and acquisitions (M&A) and need to integrate existing identity infrastructures with new ones.

Key Features

  • Multiple IDP Provisioning: Administrators can now provision users from multiple IDPs, enabling seamless integration of diverse identity infrastructures.
  • Multiple IDP Authentication: Secure Access will redirect authentication requests to the respective IDPs.
  • Scalability: This feature supports large-scale enterprises, facilitating smooth user management during M&A cycles.

Benefits

  • Flexible Provisioning: Organizations can manage users from different IDPs without the need for complex, manual integrations.
  • Improved User Experience: Users can authenticate against their respective IDPs, ensuring a consistent and secure login experience.
  • Streamlined Operations: Simplifies the process of integrating new companies' identity infrastructures, reducing administrative overhead.

How Authentication Works with Multiple IDPs

  1. User Initiates Login: When a user attempts to log in, Secure Access identifies the directory that the user belongs to and redirects the authentication request to the appropriate IDP.
  2. IDP Authentication: The user authenticates against their respective IDP.
  3. Policy Enforcement: Upon successful authentication, appropriate policies are enforced on the end user traffic provided the user is pre-provisioned on Secure Access.

Example Use Case

A financial organization that frequently acquires new companies can now integrate the new companies' identity infrastructures with their existing systems. Users from the newly acquired companies can be provisioned and authenticated using their existing IDPs, ensuring a smooth transition.

Documentation:

For more detailed instructions, please refer to the following documentation:

 

Labels:
Comments
Raima Ito
Level 1
Level 1
‎01-08-2025 04:34 PM

@sumshesh 
Did it support this in Secure Access VPN? The saml configuration for my Secure Accesss VPN only allows me to specify one IDP.2025-01-09_09h33_35.png

0 Helpful
Kenichiro Kato
Cisco Employee
Cisco Employee
‎01-15-2025 09:14 PM

@Raima Ito This update is not for VPN profile from authentication perspective. For authentication, this update is for ZTA / PAC deployment that can be configured on Dashboard. We could not add multiple IdPs (for instance EntraID) here until this update. For user provisioning (that is also used from VPN), we can now use multiple IdPs.

For VPN Profile, we can configure multiple VPN profiles by default and associate different IdP per VPN profile. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents