SSOAgent - SAMLConfiguration - Cisco ASA RSA Ready SecurID Access Implementation Guide
2 years ago
Originally Published: 2018-11-13

This section contains instructions on how to integrate Cisco ASA RSA Cloud Authentication Service using a SAML SSO Agent.

Architecture Diagram

arch-diag-sso-saml_624x403.png

RSA Cloud Authentication Service

To configure a SAML Service Provider in RSA Identity Router, you must deploy the connector for Cisco ASA in the RSA Cloud Administration Console. During configuration of the IdP you will need some information from the SP. This information includes (but is not limited to) Assertion Consumer Service URL and Service Provider Entity ID.

Procedure

1. Logon to the RSA Cloud Administration Console and browse to Applications > Application Catalog, search for Cisco ASA and click +Add to add the connector.

integration configuration sso agent saml idp 1_624x206.png

2. Enter a Name for your application and click Next Step.

integration configuration sso agent saml idp 2_624x349.png

3. Configure the Initiate SAML Workflow section and then scroll down to the SAML Identity Provider (Issuer) section.

integration configuration sso agent saml idp 3_624x230.png

4. Configure the Identity Provider section and scroll down to the Service Provider section.

integration configuration sso agent saml idp 4_624x350.png

  • Identity Provider URL: The default value will work.  If you choose to change the Issuer Entity ID, make sure that the change is reflected in this URL (after ?idp_id=).
  • Issuer Entity ID: The default value will work, but you may want to change it to something more friendly since this value will be an identifier for this IdP in the Cisco ASA configuration.
  • SAML Response Signature: Upload the private key and certificate that SecurID Access will use to sign the SAML response.

5. Configure the Service Provider settings and scroll down to the User Identity section.

integration configuration sso agent saml idp 5_624x129.png

  • Assertion Consumer Service (ACS) URL: Enter the URL https://$base-url$/+CSCOE+/saml/sp/acs?tgname=$connection-profile$ where $base-url$ matches the Base URL specified in the Cisco ASA SAML SP configuration and $connection-profile$ matches the name of your AnyConnect or Clientless SSL VPN connection profile.
  • Audience (Service Provider Entity ID): Enter the URL https://$base-url$/saml/sp/metadata/$connection-profile$ where $base-url$ matches the Base URL specified in the Cisco ASA SAML SP configuration and $connection-profile$ matches the name of your AnyConnect or Clientless SSL VPN connection profile.

Note:  If you are unsure of these values, set place holder values so you can continue with the configuration.  When you're done with the Cisco ASA configuration, you can return to this page and fill in the correct values.

6. Configure the User Identity section and click Next Step.

integration configuration sso agent saml idp 6_624x259.png

7. Configure the Access Policy and click Next Step.

integration configuration sso agent saml idp 7_624x337.png

8. Configure the Portal Display settings and click Save and Finish.

integration configuration sso agent saml idp 8_624x427.png

Important! Unmark the checkbox to Display in Portal if you are enabling this connection for use with AnyConnect or if you want to prevent IdP-initiated workflows to the Clientless SSL VPN Portal.

9. Click Publish Changes.

integration configuration sso agent saml idp 9_624x88.png

 

Cisco ASA

Follow the steps in this section to integrate Cisco ASA with RSA SecurID Access as a SAML SSO Agent.

Procedure

1. Create a trustpoint to associate with your RSA SAML IdP signing certificate. CA certificates and Identity Certificates are both valid for this purpose.

Example: Login to Cisco ASDM and browse to Configuration > Remote Access VPN > Certificate ManagementIdentity Certificates and click Add.

integration configuration sso agent saml 1_624x184.png

2. Add the certificate info and click Add Certificate.

integration configuration sso agent saml 2_624x253.png

3. Click Apply.

integration configuration sso agent saml 3_624x44.png

Open the SAML IdP management pane.  This can be reached inside the AnyConnect Connection Profile or inside the Clientless SSL VPN Connection Profile.  Whichever you decide, the IdP configuration can be applied to AnyConnect and/or Clientless SSL VPN.

4. Browse to ConfigurationRemote Access VPN > Clientless SSL VPN AccessConnection Profiles and then click to Edit a profile.

integration configuration sso agent saml 4_624x342.png

5. On the Basic tab, under the SAML Identity Provider heading, click Manage...

integration configuration sso agent saml 5_624x344.png

6. Click Add.

integration configuration sso agent saml 6_624x144.png

7. Configure the SSO Server settings and click OK.

integration configuration sso agent saml 7_624x222.png

  • IDP Entity ID: Enter the Issuer Entity ID from the RSA Cloud Administration Console.
  • Sign In URL: Enter the Identity Provider URL from the RSA Cloud Administration Console.
  • Base URL: Enter a URL which will be the basis for ACS URL and SP Entity ID.
  • Identity Provider Certificate: Select the trustpoint which contains the IdP signing certificate.

8. Set the SAML Server back to None and click OK.

integration configuration sso agent saml 8_624x197.png

Click Apply.

integration configuration sso agent saml 9_624x50.png


Next Step: Proceed to the Use Case Configuration Summary section for information on how to apply the SAML SSO Agent configuration to your use case.


Related Articles

Trending Articles

Don't see what you're looking for?