Showing results for 
Search instead for 
Did you mean: 

Ask the Expert- SD-WAN

Notes on Azure AD as SAML IdP

  • [Screen Capture Video on 2017-Nov-24 to show the newer Azure Portal] 
    (view in My Videos)
  • Step 1. Create new IdP instance in ISE. (NOTE: Single IdP configuration in ISE can support multiple ISE web portals, each mapped to a separate Azure app).
  • Step 2. Configure a new web portal (one of ISE My Devices, Certificate Provisioning, Guest, and Sponsor portals) and use the newly created IdP as the authentication method.
  • Step 3. Multiple ISE policy service nodes (PSN):
    • In case of an ISE deployment with multiple PSNs, a load balancer can be considered so the IdP’s response is redirected to the load balancer and from there it will be reach out to the ISE nodes.
    • Using Fully Qualified Domain Name (FQDN) (at the portal setting) may provide similar functionality by providing different DNS resolution for each ISE node in different subnets.
  • Step 4. Return to the IdP settings. If using a load balancer, enable it in the IdP. Then, export the [ Service Provider Info ] and save it (zip file) to the local file system.
  • Step 5. Export the ISE system certificate for SAML.
  • Step 6. Extract the Service Provider Info zip file. Open the XML file in a text editor and locate



Azure Configuration Notes:

To register a new application in the Azure classic portal

  1. Sign in to the Azure classic portal.
  2. Click on the Active Directory icon on the left menu, and then click on the desired directory.
  3. On the top menu, click Applications. If no apps have been added to your directory, this page will only show the Add an App link. Click on the link, or alternatively you can click on the Add button on the command bar.Screen Shot 2016-04-12 at 9.50.35 AM.png
  4. On the What do you want to do page, click on the link to Add an application my organization is developing.
  5. On the Tell us about your application page, you must specify a name for your application as well as indicate the type of application you are registering with Azure AD. You can choose from a Web application and/or Web API (default, known as a confidential client in OAuth2) or Native client application which represents an application that is installed on a device such as a phone or computer (known as a public client in OAuth2). Once finished, click the arrow icon on the bottom-right corner of the page.Screen Shot 2016-04-11 at 8.48.07 PM.png
  6. On the App properties page, provide the Sign-on URL and App ID URI if you’re registering a Web application or just the Redirect URI for a Native client application, then click the checkbox in the bottom-right hand corner of the page.Screen Shot 2016-04-11 at 8.49.47 PM.png
    1. Sign-on URL is usually related to how Microsoft provisions it. For example, I logged using my MSDN account and see this as part of the URL in the current page -->
      • So, I pick where demo-1-MDP needs to be unique for the Azure account
    2. APP ID URI is the value of the entityID from Step 6.
  7. Your application has been added, and you will be taken to the Quick Start page for your application....
  8. Select the Cloud icon if not already in the overview page Screen Shot 2016-04-11 at 9.15.51 PM.png
  9. Open a browser tab or new window, paste the URL, and save the resulting page to a file as .XML.
  10. Select CONFIGURE
    • Screen Shot 2016-04-12 at 11.06.50 AM.png
  11. Locate the section for Single Sign On and, in there, the REPLY URL
    • Screen Shot 2016-04-11 at 9.03.19 PM.png
    • Update it with the Location values of AssertionConsumerService that has the hostname of the load balancer, if one configured, or the FQDN, if one configured (as shown in the case). If not using either, then enter all location values one entry at a time. For example, Screen Shot 2016-04-11 at 9.10.07 PM.png
  12. Click Save at the bottom of the page. Screen Shot 2016-04-11 at 9.11.50 PM.png
  13. (For Sponsor Portal or Guest Portal requiring "groups") Need to update groupMembershipClaims in the manifest for the app
    • Download Manifest
      • Screen Shot 2016-04-12 at 7.37.33 AM.png
    • Use a text editor to open the download .json file, search groupMembershipClaims, change it to "All" or "SecurityGroup" (enclosed in quotations), and save the file
      • Screen Shot 2016-04-12 at 7.45.21 AM.png
    • Upload it back to AzureAD for the application.
      • Screen Shot 2016-04-12 at 7.48.54 AM.png
    • AzureAD groups are by their object IDs but not by their names so we need to get the IDs and map them in ISE.
      • Screen Shot 2016-04-12 at 8.07.09 AM.png
      • Screen Shot 2016-04-12 at 8.06.43 AM.png


  • Step 7. Configure attribute mappings and group attributes at the 3rd-party SAML IdP. (See the group object ID info above for AzureAD).
  • Step 8. Export the metadata from the 3rd-party product. (DONE above already)
  • Step 9. Return to ISE admin, import the IdP metadata from the the 3rd-party product, and add groups and attributes in the IdP instance.
    • (For sponsor or guest portal in need of group membership mapping)
      • Tab [ Groups ] and define as below
        • Group Membership Attribute (Note: The URI is an XML namespace but not an actual website.)
          • Screen Shot 2016-04-13 at 6.25.09 PM.png
        • Add the groups
          Name in Assertion Name in ISE
          <object-ID-for-testGroup1-copied-from-AzureAD> testGroup1
          <object-ID-for-testGroup2-copied-from-AzureAD> testGroup2
    • In case the 3rd-party product (e.g. Azure AD) returning SAML subject name in persistent or transient formats, there is a needs to define attribute assertion as identity attribute (advanced setting tab) 
      • Azure AD seems using different attributes depending on Azure instances. In my Azure AD example, the best user identifier is the email address so I define the attribute as below. In some cases (e.g. MDJ-network's and our test Azure AD account), it uses instead. (The URI is an XML namespace but not an actual website.)


Use ISE debug to locate a proper Azure AD attribute as username. Most of Microsoft cloud services let users logins with their email addresses so the email address is the best identifier as the "username". As said before, Azure AD is not consistent in naming this field. To overcome this, we need to turn DEBUG on saml and use ISE admin CLI "show logging application ise-psc.log" and search for the logged-in user's email address. For example, the line below contains a logged-in user's email so we set the corresponding attribute as the subject name.


... DEBUG  [http-bio-][] cpm.saml.framework.impl.SAMLAttributesParser -::::- [parseAttributes] Delimeter not configured, Attribute=<> add value=<employee1@demo.local>



        • Screen Shot 2016-04-11 at 9.29.47 PM.png
  • Step 11. (For ISE Sponsor Portal SSO only) Add AzureAD groups to sponsorGroup(s) Screen Shot 2016-04-12 at 8.03.58 AM.png
  • Step 12. Perform ‘Portal test URL’ in the relevant ISE web portal.