Summary

ISE 2.1 adds SAML Identity Source Enhancements and enables all SAML 2.0 compliant IdPs as the identity sources for ISE end-user facing portal. Microsoft AD FS 2.0 and above support SAML 2.0. Here we provide a quick note how to get it to work with ISE.

Prerequisites

• ADFS 2.0+ -- ADFS 3.0 from Windows 2012 R2 used in our test
• ISE 2.1+ -- Screenshots are taken from ISE 2.1.

Relying Party Trust

A Relying Party is a Microsoft name equivalent to the SAML 2.0 name "Service Provider". It is a partner that consumes security tokens in order to provide access to applications. Each ISE user portal (e.g. Sponsor) is a relying party.

• (ADFS) Download the metadata XML @ https://<ADFS-SPN>/federationmetadata/2007-06/federationmetadata.xml to a file.
• (ISE) Configure ISE with ADFS metadata and then add end-user portals using it as the ID source.
• (ISE) Export ISE SP XML files. No need to export ISE SAML signing certificate separately.
• (ADFS) Add a new "Relying Party Trust"
  • Select Data Source: Import data about a relying party from a file. Browse to the XML from ISE
  • Display Name: Give the trust a display name e.g. ‘ISE Sponosr’
  • Choose Issuance Authorization Rules: Permit all users to access this relying party
  • Open Edit Claim Rues Dialog: Ticked
• (ADFS) In the claim rules editor, select the tab "Issuance Transform Rules", and add a new rule:
  • Claim Rule Template: Send LDAP Attributes as Claims
  • Claim Rule Name: For testing we’ll send the UPN as NameID so call the rule: “Send UPN as NameID” In production you might send the user’s email address or employee ID *

    • LDAP Attributes	Outgoing Claim Type
      User Principal Name	Name ID
      E-Mail-Addresses	E-Mail Address
      Token-Groups - Unqualified Names	Role

      

  • REF: ADFS claim rules to filter AD group membership

• (ADFS) Update the global settings of the primary authentication to Forms Authentication, because ISE is not supporting other authentication methods (CSCvb32728).
• (ADFS) Set the secure hash algorithm to SHA1 instead of SHA-256 (default) in order to get SP-Initiated Single Logout (SLO) to work for ISE sponsors or mydevices portals.
  • 
    

(ISE) SAML IdP groups, attributes, and advanced settings

• The attribute names to be configured in ISE can be obtained from the claim description of ADFS or the metadata.xml of ADFS or in the SAML debug in ISE. The screenshot here shows the claim descriptions:
  • 
• Groups come from an attribute to represent the user role or membership:
  • 
• Attributes are the other of interest to be used in ISE authorization or mapping for email address.
  • 

(ISE) Sponsor Group Member Mapping

• To use ADFS for sponsor portals, we need to map the sponsor groups. Below shows "adfs1:Domain Users" is a group from ADFS.
  • 

DEBUG

ADFS Trobleshoot

How to Enable Debug Logging for Active Directory Federation Services 2.0 (AD FS 2.0) - TechNet Articles

Diagnostics in AD FS 2.0 – Claims-Based Identity Blog

(2014-02-05) Enabling Debug Tracing In ADFS v2.1 and v3.0 « Jorge's Quest For Knowledge!

Troubleshooting Fedpassive request failures with AD FS 2.0

ADFS Configuration Wizard Fails with Error “The certificates with the CNG private key are not supported” – Premier Field Engineering

ISE DEBUG Logging

• ISE > Administration > System > Logging > Debug Log Configuration

  • Component Name	Log Level
    guestaccess	DEBUG
    portal-web-action	DEBUG
    saml	TRACE

• Collect ise-psc.log and guest.log