Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1457
Views
5
Helpful
5
Replies

I don't find SAML as an option in AAA Attribute Type

Go to solution
HariShankarYellapragada
Level 1
Level 1

‎02-09-2023 10:01 AM

SAML authorization based on the attributes:
As per the document 
https://www.cisco.com/c/en/us/td/docs/security/asa/asa917/asdm717/vpn/asdm-717-vpn-config/vpn-asdm-dap.html#task_bs3_q1v_tsb:~:text=From%20the%20AAA%20Attribute%20Type%20drop%20down%2C%20select%20SAML.
I am try to select the SAML as an option in Remote Access VPN > Dynamic Access Policies > Add > AAA Attribute > Add > SAML (Not available). 

yellapragada20_0-1675965583990.png

Is this the version issue ? 
If so, can I get more information on how to set group policies based on the SAML attributes. 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to HariShankarYellapragada

‎02-09-2023 12:16 PM

@HariShankarYellapragada it looks like that feature was introduced in ASA 9.17. From the 9.17 release notes - "Support has been added for SAML assertion attributes which can be used to make DAP policy selections."  https://www.cisco.com/c/en/us/td/docs/security/asa/roadmap/asa_new_features.html

The latest supported version on the ASA 5506-X is 9.16, so you'd be unable to upgrade your ASA to use that feature.

As the 5506-X is EOL, you'd be better replacing it with the newer FPR1010 hardware, which will support the latest ASA or FTD image and therefore use the SAML feature you require.

View solution in original post

5 Replies 5

Go to solution
Rob Ingram
VIP
VIP

‎02-09-2023 10:33 AM

@HariShankarYellapragada The guide you reference is ASA 9.17 and ASDM 7.17.

Are you running ASDM/ASA version that supports that SAML option? As you don't see that option I would guess you probably need to upgrade to get access to configure SAML.

0 Helpful

Go to solution
HariShankarYellapragada
Level 1
Level 1
In response to Rob Ingram

‎02-09-2023 12:09 PM - edited ‎02-09-2023 12:20 PM

@Rob Ingram  The ASA we use is 5506-X and I don't see the 9.17 version available. Our version is 9.12(4)
Software Download - Cisco Systems
Let me know If I am looking at the wrong place. 

I want to know if there is an alternative approach using the SAML attributes (group name) to set the DAP to the user.

output I see, while debugging "debug webvpn saml 255"

 

[SAML] consume_assertion:
http://www.okta.com/xxxxxxxxxxxxxxxxxxxxxx1 user.name@org.com
[saml] webvpn_login_primary_username: SAML assertion validation succeeded
Start timer for verifying token XXXXXXXXXXXXXXXXXXXXX9
Username "user.name@org.com" added to list with token XXXXXXXXXXXXXXXXXXXXX9
saml_auth_is_valid_token: SAML ac token being looked XXXXXXXXXXXXXXXXXXXXX9
saml_ac_v2_process_auth_request: SAML ac token being looked XXXXXXXXXXXXXXXXXXXXX9
SAML AUTH: authentication success
saml_ac_token_entry_reset_saml_session: SAML ac token being looked XXXXXXXXXXXXXXXXXXXXX9
Verification complete stop timer for token XXXXXXXXXXXXXXXXXXXXX9

 


sample SAML attributes what was sent by okta:

 

        <saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
            <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">user.name@org.com</saml2:NameID>
            <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml2:SubjectConfirmationData InResponseTo="_XXXXXXXXXXXXXXXXXXXXXXXXXC"
                                               NotOnOrAfter="2023-02-09T00:13:18.696Z"
                                               Recipient="https://vpn.org.com/+CSCOE+/saml/sp/acs?tgname=cloud_idp"
                                               />
            </saml2:SubjectConfirmation>
        </saml2:Subject>


            <saml2:Attribute Name="Group Policy"
                             NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
                             >
                <saml2:AttributeValue xmlns:xs="http://www.xx.org/2001/XMLSchema"
                                      xmlns:xsi="http://www.xx.org/2001/XMLSchema-instance"
                                      xsi:type="xs:string"
                                      >Engineer-VPN</saml2:AttributeValue>
            </saml2:Attribute>
        </saml2:AttributeStatement>
    </saml2:Assertion>
</saml2p:Response>

 

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to HariShankarYellapragada

‎02-09-2023 12:16 PM

@HariShankarYellapragada it looks like that feature was introduced in ASA 9.17. From the 9.17 release notes - "Support has been added for SAML assertion attributes which can be used to make DAP policy selections."  https://www.cisco.com/c/en/us/td/docs/security/asa/roadmap/asa_new_features.html

The latest supported version on the ASA 5506-X is 9.16, so you'd be unable to upgrade your ASA to use that feature.

As the 5506-X is EOL, you'd be better replacing it with the newer FPR1010 hardware, which will support the latest ASA or FTD image and therefore use the SAML feature you require.

Go to solution
HariShankarYellapragada
Level 1
Level 1
In response to Rob Ingram

‎02-21-2023 09:18 AM

@Rob Ingram Does Firepower 2100 series support SAML attributes feature?
As this feature is added in ASA 9.17(1)/ASDM 7.17(1) 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to HariShankarYellapragada

‎02-21-2023 09:32 AM

@HariShankarYellapragada well the 2100 appliances support ASA 9.17 and newer, so as long as 9.17 supports the features you want then yes it should work on your hardware, assuming you are using 9.17(1) or newer.

0 Helpful
Customers Also Viewed These Support Documents