Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1642
Views
0
Helpful
5
Replies

Cisco FTD with SSO

Go to solution
Maurice Ball
Level 3
Level 3

‎03-13-2022 03:33 AM

I have a customer who have deployed their own Single Sign On server. The server is not using an SSL certificate for the SSO server Identity Provider Certificate. The SSO sign certificate is a self generated certificate which is not using a fully qualified domain name. The CN name that is configured on the SSO certificate is "Internal" but the SSO URL is configured with a FQDN. When trying to add this SSO server to the FTD appliance I get the following error:

 

ERROR: SAML IDP certificate failed Config

Error --saml identity - provider https://host.domain/auth/realms/Internal

 


Is it possible to add an SSO server which is not using an SSL certificate as the SSO signing certificate to the FTD appliance?

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Maurice Ball
Level 3
Level 3
In response to UdupiKrishna

‎03-14-2022 01:19 PM

CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.7

  • ASA supports the following signatures for SAML authentication:

    • SHA1 with RSA and HMAC

    • SHA2 with RSA and HMAC

  • ASA supports SAML 2.0 Redirect-POST binding , which is supported by all SAML IdPs.

  • The ASA functions as a SAML SP only. It cannot act as an Identity Provider in gateway mode or peer mode.

  • SAML 2.0 SSO does not support internal SAML IdP and SPs, only external ones outside of the private network.

  • This SAML SSO SP feature is a mutual exclusion authentication method. It cannot be used with AAA and certificate together.

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/configuration/vpn/asa-97-vpn-config/webvpn-configure-users.html

 

 

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Maurice Ball
Level 3
Level 3
In response to UdupiKrishna

‎03-14-2022 12:25 AM

I have setup the ASA appliance with Azure SAML SSO services and it works great. In this article I do not see where it is saying it is only supported by DUO. Could you please tell me where to find that information?

 

0 Helpful

Go to solution
UdupiKrishna
Cisco Employee
Cisco Employee
In response to Maurice Ball

‎03-14-2022 12:58 AM

Section:  SAML Server, refer to the "note" field. Attached a screenshot

Screenshot 2022-03-14 at 1.27.39 PM.png

0 Helpful

Go to solution
Maurice Ball
Level 3
Level 3
In response to UdupiKrishna

‎03-14-2022 03:31 AM

Correct, it is supported by Duo but it is also supported by other vendors.

0 Helpful

Go to solution
Maurice Ball
Level 3
Level 3
In response to UdupiKrishna

‎03-14-2022 01:19 PM

CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.7

  • ASA supports the following signatures for SAML authentication:

    • SHA1 with RSA and HMAC

    • SHA2 with RSA and HMAC

  • ASA supports SAML 2.0 Redirect-POST binding , which is supported by all SAML IdPs.

  • The ASA functions as a SAML SP only. It cannot act as an Identity Provider in gateway mode or peer mode.

  • SAML 2.0 SSO does not support internal SAML IdP and SPs, only external ones outside of the private network.

  • This SAML SSO SP feature is a mutual exclusion authentication method. It cannot be used with AAA and certificate together.

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/configuration/vpn/asa-97-vpn-config/webvpn-configure-users.html

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents