Re: Connection profile - authorization LUA script to change username

rdstoknes · ‎09-29-2023

Grasping to straws here, but I'll give it a shot.

Got an ASA connection profile that uses SAML authentication with Azure AD for guest accounts in our tenant. Authentication works fine, but I would like to pass the username to Cisco ISE for authorization. My ISE is connected to Azure AD with REST ID connection, but passing the guest's username (external email address) only returns "not found". Guest accounts in Azure get the UPN of username_externaldomain.com#EXT#@yourdomain.com, which is probably why there is no match.

The question is: The Advanced - Authorization settings in the connection profile does have a setting for "Username mapping from certificate - Use script to select username". Does anyone know if I could apply a LUA script to translate the username (provided through SAML authentication and not certificate) from username@externaldomain.com to username_externaldomain.com#EXT#@yourdomain.com?? If so, an example of HOW would be much appreciated since I am not an expert with LUA (or scripting in general).

Thanks in advance.

/Rune

Cisco_Virtual_Engineer · ‎10-02-2023

Based on the information from Cisco's official documentation, here's how you could use a LUA script to change the username for SAML authentication with an ASA profile and Azure AD:

1. First, configure the ASA as a SAML 2.0 Service Provider (SP). This involves setting up a SAML 2.0 Identity Provider (IdP) and specifying the IdP's URLs.

2. Create a tunnel group for SAML authentication by entering these commands on the ASA:

shell
tunnel-group (tunnel-group-name) general-attributes
authentication-server-group (saml-identity-provider-name)

Replace `(tunnel-group-name)` with the name of the tunnel group and `(saml-identity-provider-name)` with the name of the SAML identity provider configured in step one.

3. Configure the SAML timeout:

shell
timeout assertion (timeout-in-seconds)

Replace `(timeout-in-seconds)` with your desired timeout value in seconds.

4. Enable SAML authentication for the tunnel group:

shell
authentication saml

5. Now, to change the username using a LUA script, you can write a script like this:

lua
function saml_change_username(saml_username)
  local new_username = saml_username .. "_suffix"
  return new_username
end

This is a simple script that appends a suffix to the original SAML username. You can modify this script according to your specific requirements.

6. Finally, configure the ASA to invoke the LUA script during SAML authentication by adding the following command to the SAML identity provider configuration:

shell
lua-script saml-change-username-script.lua

Replace `saml-change-username-script.lua` with your LUA script filename.

Please note that the specific configuration and script implementation can vary depending on your environment and requirements. It's recommended to consult the documentation and support resources from Cisco and your SAML identity provider for more detailed guidance.

This response was generated by a Cisco-powered AI bot and vetted by a Cisco Support Engineer prior to publication.
This is part of a monitored experiment to see if the bot can help answer questions alongside community members. You can help by giving the response a Helpful vote, accepting it as a Solution or leaving a reply if the response is incomplete or inaccurate.

rdstoknes · ‎10-03-2023

Thank you for the suggested solution - it got me intrigued to suggest that we could simply use a LUA script to modify the username in such a manner.

However, I cannot see that there is a way to apply a LUA script for the tunnel-group or the SAML IdP in my CLI options for either configuration. Care to elaborate on how this could be achieved?

Brgds
Rune