This document provides a configuration example of Security Assertion Markup Language (SAML) Authentication on FTD managed over FDM. The configuration allows Anyconnect users to establish a VPN session authenticating with a SAML Identity Service Provider.
Cisco recommends that you have knowledge of these topics:
Knowledge of Anyconnect configuration on FDM
Knowledge of SAML and metatada.xml values
The information in this document is based on these software and hardware versions:
Firepower Threat Defense managed over FDM using version 7.0.
ADFS from AD Server with SAML 2.0
Note: I am using an ADFS IdP server where a custom IdP's certificate was created, this includes the "Basic Constraints CA flag set".
Also, if possible, use an NTP server to synchronize the time between the FTD and IdP. Otherwise, make sure the time is manually synchronized between them.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Due toCSCvu95526, the only SAML server fully supported is DUO, see below:
SAML Servers Following are the supported SAML servers: Duo.
In this lab, I am using ADFS as SAML server; however, I created a custom IdP's signing certificate which does contain the CA flag under Basic Constraints. Which basically eliminates the limitation defined under bug:CSCvu95526.
You can check if the IdP's signing certificate contains this flag using the following SSL command: openssl x509 -in vpnx.local/id.crt -noout -text
This section describes how to configure Anyconnect with SAML authentication on FTD managed via FDM.
Get the SAML IdP parameters
The below image shows a SAML IdP metadata.xml file. From the output, you can get all values needed in order to configure the Anyconnect profile using SAML:
Configuration on the FTD via FDM
Step 1. Import the IdP's certificate. Under Objects -> Certificates -> Add Trusted CA Certificate.
Step 2. The name you define will be used later on when calling the IdP's certificate.
Step 3. Create the SAML server. Under Objects -> Identity Sources -> SAML Server.
Step 4. Based on the metadata.xml file already provided by your IdP, configure the SAML values. Name: SAML Server's name. Identity Provider (IDP) Entity ID URL: entityID from metadata.xml Sign in URL: SingleSignOnService from metadata.xml. Sign out URL: SingleSignLogoutService from metadata.xml. FTD Service Provider Certificate: FTD signing certificate. Identity Provider Certificate: IdP signing certificate.
Step 5. Create a Connection profile that uses SAML as authentication method. Under Device -> Remote Access VPN.
Step 6. Click on Create Connection Profile.
Step 7. Define the Connection Profile's name, the authentication method under Primary Identity Source and select the SAML Server we created under step #3. Also, the ip local pool or DHCP if you want to assign IP's to the RA users via DHCP.
Step 8. Select the group-policy for this Connection profile. You can create a dedicated GP for this connection profile or use the default instead.
Step 9. Define what SSL Certificate to use for this RA, the FQDN for the RA's FTD, the Anyconnect .pkg file we will use. Optionally you can set the NAT Exemption and the sysopt permit-vpn. Very important: What you define under "Fully-qualified Domain Name for the Outside Interface" will be set as base URL for the SAML config. Make sure the proper FTD's RA FQDN is set there.
Step 10. Deploy the changes.
Step 11. Now, provide the FTD's metadata.xml file to the IdP so they add the FTD as a trusted device. On the FTD CLI, run the command:"show saml metadata SAML_TG "where SAML_TG is the name of our Connection Profile created on Step 7
As seen in the below bracket, this is the expected output from the command mentioned above:
> system support diagnostic-cli Attaching to Diagnostic CLI ... Press 'Ctrl+a then d' to detach. Type help or '?' for a list of available commands.
Have a customer that is currently running VSOM 7.9. Majority of their cameras has a "Red X" next to the cameras that are in critical state. Not able to see the live view of the cameras. The cameras are connected to the network and respon...
ISE VM deployment is configured in the network with the ID 192.168.X.X, it's management interface Gig0 is from this network as well, I would like to connect the network with the ID 10.4.4.X with ISE to use RADIUS and TACACS services, is it possible to do ...
Our external interface (1/1), is bouncing/disconnecting. How can I monitor the interface through the CLI to look for errors?I have run the "show interface g1/1 stats" (and other options), but I don't see CRC errors, or other errors.-newbiftd
I'm running an Ubuntu based OS (PopOS) and I use a proxy on my local network (not on localhost, but on the local network here).I've configured the proxy in my Network Settings, but Cisco AnyConnect isn't picking them up. There are no obvious settings in A...