Solved: Anyconnect / SAML / Authorization Attribute

cisco.13 · ‎09-27-2023

Hello,

I configured SAML (OKTA) Auth for an Anyconnect VPN and it works fine.

1 - I want to configure the same method (SAML) for several profiles (tunnel groups), possible?
if yes, how ? same application, certificat, idp , sp, trustpoint ?

2- Is it possible for me to retrieve the pool address from SAML/OKTA according to the user's group (same as on ISE, attribute: CVPN3000/ASA/PIX7x-Address-Pools)?

ASA 9.15(1)15
Anyconnect: 4.10

Thank you so much

Pavan Gundu · ‎09-28-2023

DAP can also be used to capture the attributes you get from SAML assertion as authorization, it is present from ASA 9.17 onwards, release notes

View solution in original post

Milos_Jovanovic · ‎09-28-2023

Hi @cisco.13,

Yes, you can use same IDP with multiple tunnel-groups/profiles. Please see this post, where it is being discussed. It is for different SSO provider, but concepts are the same.

Afaik, authorization via SAML is not yet supported, so you'll have to use some other authorization mechanisms (such as ISE/RADIUS). Take a look at this post.

Kind regards,

Milos

Pavan Gundu · ‎09-28-2023

DAP can also be used to capture the attributes you get from SAML assertion as authorization, it is present from ASA 9.17 onwards, release notes

cisco.13 · ‎09-28-2023

Hello, great news

@Pavan Gundu, do you have more details about DAP and SAML ? do you have an example please?

I'd like to remind that I want to allocate IP address pools according to the group to which they belong.

Thank you for your help

Pavan Gundu · ‎09-29-2023

Hi, If you have group policy already configured on the ASA, you can assign them dynamically based on the SAML attribute "cisco_group_policy" (value should be same as group policy name configured on ASA). This value can be sent over SAML assertion, where ASA can sense it and assign that group policy.

How to send "cisco_group_policy" in SAML assertion depends on the IdP being used.

cisco.13 · ‎09-29-2023

Hello @Pavan Gundu

Thank you for your response, yes, I use several policy groups,

On OKTA/SAML you can send the group name and define and configure a custom SAML attribute statement:

https://support.okta.com/help/s/article/How-to-define-and-configure-a-custom-SAML-attribute-statement?language=en_US

I can't make the link between the group name sent by SAML/OKTA and the IP pool to assign!

Thank you

Pavan Gundu · ‎09-29-2023

Each group policy can have different IP Pools configured. ASA will assign the group policy by looking at the "cisco_group_policy" from the SAML assertion.

cisco.13 · ‎10-09-2023

Hello,

Thank you @Pavan Gundu, it's clair, I configured DAP (saml.cisco_group_policy = MY_VPN_GroupPolicy_01)

MFA notification ok, but DAP does not apply, I forgot something?

FYI, I receive the group in saml response :

<saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Attribute Name="group" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
MY_VPN_GroupPolicy_01
</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>

.....

[saml] webvpn_login_primary_username: SAML assertion validation succeeded
saml_ac_token_list_add_entry: Pre_auth token: 657144398
Token 2568F589734877905BA00231 created with timeout 60
Username "my_login@mydomaine.com" added to list with token 2568F589734877905BA00231
saml_get_ac_token_data: Unencrypted Token found 2568F589734877905BA00231
saml_ac_v2_process_auth_request: SAML ac token being looked 2568F589734877905BA00231
SAML AUTH: authentication success
saml_get_ac_token_data: Unencrypted Token found 2568F589734877905BA00231
saml_get_ac_token_data: Unencrypted Token found 2568F589734877905BA00231
saml_get_ac_token_data: Passed SAML token is NULL

tunnel-group tg_vpn type remote-access
tunnel-group tg_vpn webvpn-attributes
authentication saml
group-alias MY_VPN enable
saml identity-provider http://www.okta.com/xxxxxxxxxxxxx

group-policy MY_VPN_GroupPolicy_01 internal
group-policy MY_VPN_GroupPolicy_01 attributes
address-pools Pool_01

Thank you very much.

cisco.13 · ‎10-12-2023

Hello,

Remember to change the attribute name in okta: cisco_group_policy (instead of group)

Thank you @Pavan Gundu @Milos_Jovanovic

Pavan Gundu · ‎10-12-2023

HTH

cisco.13 · ‎10-18-2023

Hello,
I'm coming back to this post!
I noticed that it doesn't work if the user belongs to two or more groups, (ok only one group)!

So I'm going to create one group-tunnel per group.
Can you confirm this?
- Do I need an application (OKTA) for each tunnel group?
- Can I import two CA certificates from the OKTA of the two applications into the ASA, or does the certificate have to be the same?
- I configure x saml in webvpn ?

Thank you very much.

Pavan Gundu · ‎10-22-2023

That's correct, this setup will only work if user is part of only single group.

Regarding creating multiple applications in okta per tunnel group, kindly check if the Entity ID is different for different applications.
If the Entity ID is the same then you need to check if Okta can create unique Entity ID for different applications.