SSO Agent - SAML Configuration - Cisco ASA RSA Ready SecurID Access Implementation Guide

Document created by RSA Information Design and Development Employee on Nov 13, 2018Last modified by RSA Information Design and Development Employee on Jan 25, 2019
Version 6Show Document
  • View in full screen mode

This section contains instructions on how to integrate Cisco ASA RSA Cloud Authentication Service using a SAML SSO Agent.

Architecture Diagram

RSA Cloud Authentication Service

To configure a SAML Service Provider in RSA Identity Router, you must deploy the connector for Cisco ASA in the RSA Cloud Administration Console. During configuration of the IdP you will need some information from the SP. This information includes (but is not limited to) Assertion Consumer Service URL and Service Provider Entity ID.


1. Logon to the RSA Cloud Administration Console and browse to Applications > Application Catalog, search for Cisco ASA and click +Add to add the connector.

2. Enter a Name for your application and click Next Step.

3. Configure the Initiate SAML Workflow section and then scroll down to the SAML Identity Provider (Issuer) section.

4. Configure the Identity Provider section and scroll down to the Service Provider section.

  • Identity Provider URL: The default value will work.  If you choose to change the Issuer Entity ID, make sure that the change is reflected in this URL (after ?idp_id=).
  • Issuer Entity ID: The default value will work, but you may want to change it to something more friendly since this value will be an identifier for this IdP in the Cisco ASA configuration.
  • SAML Response Signature: Upload the private key and certificate that SecurID Access will use to sign the SAML response.

5. Configure the Service Provider settings and scroll down to the User Identity section.

  • Assertion Consumer Service (ACS) URL: Enter the URL https://$base-url$/+CSCOE+/saml/sp/acs?tgname=$connection-profile$ where $base-url$ matches the Base URL specified in the Cisco ASA SAML SP configuration and $connection-profile$ matches the name of your AnyConnect or Clientless SSL VPN connection profile.
  • Audience (Service Provider Entity ID): Enter the URL https://$base-url$/saml/sp/metadata/$connection-profile$ where $base-url$ matches the Base URL specified in the Cisco ASA SAML SP configuration and $connection-profile$ matches the name of your AnyConnect or Clientless SSL VPN connection profile.

Note:  If you are unsure of these values, set place holder values so you can continue with the configuration.  When you're done with the Cisco ASA configuration, you can return to this page and fill in the correct values.

6. Configure the User Identity section and click Next Step.

7. Configure the Access Policy and click Next Step.

8. Configure the Portal Display settings and click Save and Finish.

Important! Unmark the checkbox to Display in Portal if you are enabling this connection for use with AnyConnect or if you want to prevent IdP-initiated workflows to the Clientless SSL VPN Portal.

9. Click Publish Changes.


Cisco ASA

Follow the steps in this section to integrate Cisco ASA with RSA SecurID Access as a SAML SSO Agent.


1. Create a trustpoint to associate with your RSA SAML IdP signing certificate. CA certificates and Identity Certificates are both valid for this purpose.

Example: Login to Cisco ASDM and browse to Configuration > Remote Access VPN > Certificate ManagementIdentity Certificates and click Add.

2. Add the certificate info and click Add Certificate.

3. Click Apply.

Open the SAML IdP management pane.  This can be reached inside the AnyConnect Connection Profile or inside the Clientless SSL VPN Connection Profile.  Whichever you decide, the IdP configuration can be applied to AnyConnect and/or Clientless SSL VPN.

4. Browse to ConfigurationRemote Access VPN > Clientless SSL VPN AccessConnection Profiles and then click to Edit a profile.

5. On the Basic tab, under the SAML Identity Provider heading, click Manage...

6. Click Add.

7. Configure the SSO Server settings and click OK.

  • IDP Entity ID: Enter the Issuer Entity ID from the RSA Cloud Administration Console.
  • Sign In URL: Enter the Identity Provider URL from the RSA Cloud Administration Console.
  • Base URL: Enter a URL which will be the basis for ACS URL and SP Entity ID.
  • Identity Provider Certificate: Select the trustpoint which contains the IdP signing certificate.

8. Set the SAML Server back to None and click OK.

Click Apply.

Next Step: Proceed to the Use Case Configuration Summary section for information on how to apply the SAML SSO Agent configuration to your use case.