Does anyone have any documentation on SAML integration with Cisco ASA ssl VPN? Or would using forms be a better approach?
This is an interesting question. What I have found so far seems to indicate that Cisco ASA SSL VPNs support SAML 1.1, but in a different workflow from what we typically see with most web-based applications. It seems like their flow has the user first authenticate to the Cisco ASA, and then they would help get the user logged into an SSO system using SAML 1.1 (that is, the Cisco ASA would act as the IdP). Here's a link to the related documentation that describes this configuration: Cisco ASA 5500 Series Configuration Guide using the CLI, 8.4 and 8.6 - Configuring Clientless SSL VPN [Cisco ASA 5500-X …
If the ASA supported SAML 2.0, then it would be pretty safe to say that we would be able to federate with it (acting as an external SAML IdP) to an RSA Via Access Identity Router (acting as a SAML SP). We don't currently have a configuration option for external SAML 1.1 Identity Providers, though, as they're really not very common these days.
I haven't yet found any information about configuring an ASA to use a SAML Identity Provider to offload the user's SSL VPN authentication (like to allow RSA Via Access to provide strong authentication for users logging into the Cisco ASA SSL VPN). If SAML isn't an option, we may be able to connect to it with our HFED Discovery tool, or it may require additional integration. I suspect this could be a more complex one, with the potential of requiring multiple web server definitions, etc. If you have a test account, I'd suggest giving the HFED Discovery approach a try, and let us know how it works.
Hi, Joe --
HFED is an interesting option. I feel that it is worth trying. If it works, you get a configurable, out-of-the-box solution.
Another angle: there is an interface in the ASA that allows it to authenticate to a servlet (or equivalent.) In this, the "password" would be an encrypted, time sensitive token, generated via a program that renders a "form" that would post to the ASA. The ASA would post to the "servlet." The servlet would decrypt it and validate the identity and a time stamp. It is otherwise, a forms-like integration. It is theoretically possible to exploit this interface as well, but it would require development. The advantage is that it is an integration without a replay of a password. It would also provide the nice authentication capabilities of Via-Access to the Cisco ASA. It is possible, but it would require someone to build it.
(When I did this a few years ago, the ASA did not have SAML support for a role where it acts as a service provider, I am not sure if Cisco ever got around to adding that.)
Looks like SAML 2.0 support was added in 9.5(2): http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/general/asa-95-general-config/intro-intro.html#ID-2172-00000128
That's great to hear! In that case, I believe we should be able to integrate with this using our SAML template.
Retrieving data ...