Integrating On-Prem Cisco WSA S395 with Microsoft Entra ID

Jens.Wall1 · ‎11-25-2025

Hello,

I would like to integrate our on-prem WSA S395 with Entra ID to manage admin logins both on the GUI and via CLI. Unfortunately, I can only find documentation online for the ESA, which refers to the menu item “System Administration > SAML”, but this option does not exist on the WSA.

Can anyone tell me if this is even possible or where I can find documentation for it?

jameswood32 · ‎11-25-2025

You can’t directly integrate an on-prem Cisco WSA S395 with Microsoft Entra ID for authentication because WSA doesn’t support Entra ID as a native identity provider. Instead, you typically use one of these workarounds:

Sync on-prem AD to Entra ID (via Entra Connect) and keep WSA pointed at on-prem AD/LDAP or Kerberos/NTLM for user auth.
Use Cisco ISE or another identity proxy that can consume Entra ID signals and pass group/user info to WSA.
For cloud-based identity-aware web filtering, consider Cisco Secure Web Appliance with Umbrella or move to Umbrella SIG, which integrates natively with Entra ID.

In short: No direct Entra ID auth on WSA—use AD/ISE, or move to a cloud solution that supports Entra ID.

balaji.bandi · ‎11-25-2025

what is the code running on WSA ?

check enhancement :

https://bst.cisco.com/quickview/bug/CSCwk69930

other option if you have ISE :

https://www.cisco.com/c/en/us/support/docs/security/secure-web-appliance-virtual/221634-configure-swa-second-factor-authenticati.html

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help