02-09-2023 10:01 AM
SAML authorization based on the attributes:
As per the document
https://www.cisco.com/c/en/us/td/docs/security/asa/asa917/asdm717/vpn/asdm-717-vpn-config/vpn-asdm-dap.html#task_bs3_q1v_tsb:~:text=From%20the%20AAA%20Attribute%20Type%20drop%20down%2C%20select%20SAML.
I am try to select the SAML as an option in Remote Access VPN > Dynamic Access Policies > Add > AAA Attribute > Add > SAML (Not available).
Is this the version issue ?
If so, can I get more information on how to set group policies based on the SAML attributes.
Solved! Go to Solution.
02-09-2023 12:16 PM
@HariShankarYellapragada it looks like that feature was introduced in ASA 9.17. From the 9.17 release notes - "Support has been added for SAML assertion attributes which can be used to make DAP policy selections." https://www.cisco.com/c/en/us/td/docs/security/asa/roadmap/asa_new_features.html
The latest supported version on the ASA 5506-X is 9.16, so you'd be unable to upgrade your ASA to use that feature.
As the 5506-X is EOL, you'd be better replacing it with the newer FPR1010 hardware, which will support the latest ASA or FTD image and therefore use the SAML feature you require.
02-09-2023 10:33 AM
@HariShankarYellapragada The guide you reference is ASA 9.17 and ASDM 7.17.
Are you running ASDM/ASA version that supports that SAML option? As you don't see that option I would guess you probably need to upgrade to get access to configure SAML.
02-09-2023 12:09 PM - edited 02-09-2023 12:20 PM
@Rob Ingram The ASA we use is 5506-X and I don't see the 9.17 version available. Our version is 9.12(4)
Software Download - Cisco Systems
Let me know If I am looking at the wrong place.
I want to know if there is an alternative approach using the SAML attributes (group name) to set the DAP to the user.
output I see, while debugging "debug webvpn saml 255"
[SAML] consume_assertion:
http://www.okta.com/xxxxxxxxxxxxxxxxxxxxxx1 user.name@org.com
[saml] webvpn_login_primary_username: SAML assertion validation succeeded
Start timer for verifying token XXXXXXXXXXXXXXXXXXXXX9
Username "user.name@org.com" added to list with token XXXXXXXXXXXXXXXXXXXXX9
saml_auth_is_valid_token: SAML ac token being looked XXXXXXXXXXXXXXXXXXXXX9
saml_ac_v2_process_auth_request: SAML ac token being looked XXXXXXXXXXXXXXXXXXXXX9
SAML AUTH: authentication success
saml_ac_token_entry_reset_saml_session: SAML ac token being looked XXXXXXXXXXXXXXXXXXXXX9
Verification complete stop timer for token XXXXXXXXXXXXXXXXXXXXX9
sample SAML attributes what was sent by okta:
<saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">user.name@org.com</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData InResponseTo="_XXXXXXXXXXXXXXXXXXXXXXXXXC"
NotOnOrAfter="2023-02-09T00:13:18.696Z"
Recipient="https://vpn.org.com/+CSCOE+/saml/sp/acs?tgname=cloud_idp"
/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Attribute Name="Group Policy"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
>
<saml2:AttributeValue xmlns:xs="http://www.xx.org/2001/XMLSchema"
xmlns:xsi="http://www.xx.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>Engineer-VPN</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
02-09-2023 12:16 PM
@HariShankarYellapragada it looks like that feature was introduced in ASA 9.17. From the 9.17 release notes - "Support has been added for SAML assertion attributes which can be used to make DAP policy selections." https://www.cisco.com/c/en/us/td/docs/security/asa/roadmap/asa_new_features.html
The latest supported version on the ASA 5506-X is 9.16, so you'd be unable to upgrade your ASA to use that feature.
As the 5506-X is EOL, you'd be better replacing it with the newer FPR1010 hardware, which will support the latest ASA or FTD image and therefore use the SAML feature you require.
02-21-2023 09:18 AM
@Rob Ingram Does Firepower 2100 series support SAML attributes feature?
As this feature is added in ASA 9.17(1)/ASDM 7.17(1)
02-21-2023 09:32 AM
@HariShankarYellapragada well the 2100 appliances support ASA 9.17 and newer, so as long as 9.17 supports the features you want then yes it should work on your hardware, assuming you are using 9.17(1) or newer.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide