How to integrate Cisco FMC with the SecurID Cloud Authentication Service SSO Portal
2 years ago
Originally Published: 2022-07-29
Article Number
000067936
Applies To
  • RSA Product set: SecurID Access
    • RSA Product/Service Type: Cloud Authentication Service
    • RSA Version/Condition: any
  • Cisco Firepower Management Center (FMC), Version 7.0.x
Issue
There is currently no SecurID Integration Guide published in the SecurID Community for integration with Cisco Firepower Management Center (FMC).
Cisco provides its own Firepower Management Center Configuration Guide, Version 7.0, with a section to Configure Single Sign-On with Any SAML 2.0-Compliant SSO Provider . 
This KB articles provides the necessary additional  information needed when following that guide to successfully configure the SecurID Cloud Authentication Service as the Identity Provider (IdP) for Cisco FMC.
 
Tasks
Prerequisite:  the instructions below assume that the Cloud Authentication Service has already been configured for the SSO Portal.  See Cloud Authentication Service Quick Setup Guide for IDR-Based SSO (for IDR SSO Portal) or Cloud Authentication Service Quick Setup Guide for SAML Applications and Third-Party SSO Solutions (for Cloud SSO Portal) .

For this integration, bear in mind that the Cisco side will be the SAML Service Provider (SP) and the SecurID side will be the SAML Identity Provider (IdP) and Issuer.

Follow the Cisco Configure Single Sign-On with Any SAML 2.0-Compliant SSO Provider instructions (referred to as "the Cisco guide" below) to determine what must be configured.   However, Cisco has the following two requirements in addition to what is mentioned in that guide:
  • The SAML Issuer Entity Identifier must be in URL format
  • The SAMLresponse sent to Cisco FMC must include the SAML RelayState parameter with an unencoded value of /ui/logon
In the Cloud Administration Console,  either add an IDR SAML Application if you are using the IDR SSO Portal, or add a Cloud SAML Application if you are using the Cloud SSO Portal.  

 When configuring the SAML application in the Cloud Administration Console:
  • Use the SAML Direct template
  • Select IDP-initiated
  • If you are creating an IDR SAML Application, set Connection URL to/ui/logon
Connection URL for IDR SSO Portal SAML Application
  • Set the Assertion Consumer Service (ACS) URL to the value specified in the Cisco guide for "Single Sign on URL, Recipient URL, Assertion Consumer Service URL"
  • Set the Audience (Service Provider Entity ID) to the value specified in the Cisco guide for "Service Provider Entity ID, Service Provider Identifier, Audience URI"
  • If you are creating a Cloud SAML Application, click to expand Show IdP Advanced Configuration
  • For the Identity Provider Entity ID, choose the Override option, and set any valid URL as the Identity Provider Entity ID.  We suggest just copying the entire Identity Provider URL value and using it as the Identity Provider Entity ID (which would mean Identity Provider Entity ID and Identity Provider URL would both have the same value).
Identity Provider Entity ID and Identity Provider URL example
  • Click to expand Advanced Configuration or Show Connection Profile Advanced Configuration
  • For User Identity, the Identifier Type must be Email Address and the chosen Property must be in email address format for all users.
  • If you are creating an IDR SAML Application, in section Uncommon Formatting SAML Response Options, subsection Relay State URL Encoding, uncheck Send encoded URL in outgoing assertion and make sure all other options there are unchecked.
  • If you are creating a Cloud SAML Application, set Relay State to/ui/logon
After the SAML application is configured in the Cloud Administration Console, save and publish it.  Then, Export SAML Metadata From the SAML Application, and use the exported metadata XML file to configure Cisco FMC using the "Upload XML File" option, as explained in the Cisco guide. 
 
Resolution
After this is configured, the Portal URL (from the Portal Display tab of the SAML Application in the Cloud Administration Console) can be used to access  Cisco FMC.
Notes
  • The SAML Response Signature certificate (IDR SSO) or SAML Response Protection certificate (Cloud SSO) in the SAML Application in the Cloud Administration Console is what the Cisco guide refers to as just "X.509 Certificate".
  • If RelayState is not configured but everything else is configured correctly, a successful authentication will result in Cisco FMC displaying the error 404 Page note found.

Related Articles

Trending Articles

Don't see what you're looking for?