Cisco ISE 3.2 - SAML My Page SSO Configuration - RSA Ready Implementation Guide
This section describes how to integrate Cisco ISE with RSA Cloud Authentication Service using My Page SSO.
Enable SSO Portal Settings on Cloud Administration Console > Access > My Page > Single Sign-On (SSO).
Enable two factor authentication by using Password and Access Policy.
In Cloud Administration Console, click Applications> Application Catalog and search for Cisco ISE and click Add.
Choose Cloud in the Basic Information section
Under the Initiate SAML Workflow section, select SP-initiated option. Import the Metadata that was collected in the Cisco ISE Admin GUI and copy and paste the ACS URL into the Connection URL.
In the Message Protection section, do not choose to mark SP signs SAML requests checkbox, this is not compatible as Cisco ISE does not send the Destination attribute in the SAML request.
In the SAML Response Protection section, choose to Sign the SAML assertion only or the whole SAML response. You can also use your own certificate for signing and choose to override the default signing.
Choose Encrypt Assertion if needed. Note: You can use the same certificate created in Step 7.
In the User Identity section, select the NameID Identifier Type as emailAddress and Property as mail or UPN. You can optionally return the groups that the user is part of on Cisco ISE by mapping attribute value to the virtualGroups property in the Statement Attributes section.
Click Next Step.
Choose your desired Access Policy for this application.
Click Publish Changes.
In the Portal Display section, do not select the Display in Portal check box since the Cisco ISE does not support IdP initiated SAML SSO. .
Click Next Step > Save and Finish and select Publish Changes.
Browse to Applications > My Applications, search for the Cisco ISE application, expand options, and click Export Metadata.
Open the Metadata file in a notepad and copy the entityID URL and use it to replace both, the SingleSignOnService Binding URL for HTTP-Redirect and HTTP-POST. Note: Ensure all the three URLs should be same.
Sign into Cisco ISE Admin GUI > Administration > System > Certificates > Trusted Certificates and click Import. You should import the CA certificate(s) that correspond to the Certificate for SAML used in Step 7.
Ensure to mark the Usage as shown in the image.
Go to System Certificates and import the Certificate and Private key from Step 7. This helps you validate the SAML Response Signature and/or the Encrypted Assertion from RSA. Select SAML and click Submit.
Go to Administration > Identity Management > SAML Id Providers > Choose your SAML Cloud SSO Application > Identity Provider Config. Import the edited Metadata file from Step 16.
Go to the Groups section and set the Groups value as in Step 9. Assign the RBAC based on your you need.
You can add more attributes if needed but RSA must return them as in Step 9.
In the Advanced Settings section, choose the Identity Attribute you need. For the Multi-value attributes, select “Each value in a separate XML element”. Note: You can sign the whole SAML response or only the assertion. You can also accept only Encrypted Assertions.