With the enhancements in ISE 3.0 for integrating with Azure AD via SAML IdP, it is now possible to leverage Microsoft Single Sign-On for multiple ISE Portals (for example Sponsor and Guest/BYOD Portals).
At the time of this writing, ISE cannot create more than one SAML Id Provider with the same Azure tenant ID. As such, one cannot create separate Azure AD Enterprise Applications for the different use cases and map them to separate SAML Id Providers in ISE.
In addition, using separate Azure Enterprise Applications mapped to a single SAML IdP results in an error after redirection and login stating “There was a problem accessing the site. Please contact help desk for assistance"
The current workaround is to use a single Azure AD Enterprise Application for both use cases that maps to a single SAML IdP in ISE.
This document provides an example configuration for using Azure AD for SSO login on both the Sponsor and Guest/BYOD Portals.
Cisco recommends that you have knowledge of these topics:
Cisco ISE 3.0
Basic knowledge about SAML SSO deployments
The configuration described in this document is based on Sponsor and BYOD use cases and configurations described in the following documents.