SecurID® Integrations

Cisco ISE 3.2 - SAML IDR SSO Configuration - RSA Ready Implementation Guide

This section describes how to integrate Cisco ISE with RSA Cloud Authentication Service using IDR SSO.


  1. In Cloud Administration Console, click Applications > Application Catalog and search for Cisco ISE Portal and click Add.
  2. Choose Identity Router in the Basic Information section.
  3. Under the Initiate SAML Workflow section, select SP-initiated option. Import the Metadata that was collected in the Cisco ISE Admin GUI and copy and paste the ACS URL into the Connection URL.
    Note: Do not choose SAML Request Signing. Choose the Binding Method as Redirect if you are using Guest or My Devices Portal, and POST if you are integrating Cisco ISE Admin.
  4. In the Identity Provider section, you can either override and paste the whole URL as shown below or leave the identity string.
  5. In the SAML Response Signature section, you can override the default certificate for signing with your own certificate and private key.
  6. In the User Identity section, select the NameID Identifier Type as emailAddress and Property as mail or UPN. You can optionally return the groups that the user is part of on Cisco ISE by mapping attribute value to the virtualGroups property in the Statement Attributes section.
  7. Click Next Step.
  8. In the Advanced Configuration section, you can sign the whole SAML Response or only the assertion. You can also encrypt the assertion if needed.
  9. In the Relay State URL Encoding section, configure the section as shown in the image.
  10. Click Next Step.
  11. In the User Access section, choose your policy as per your implementation and click Next Step.
  12. In the Portal Display section, do not select the Display in Portal check box since the Cisco ISE does not support IdP initiated SAML SSO.
  13. Click Next Step > Save and Finish and select Publish Changes.
  14. Browse to Applications > My Applications, search for the Cisco ISE application, expand options, and click Export Metadata.
  15. Sign into Cisco ISE Admin GUI > Administration > System > Certificates > Trusted Certificates and click Import. You should import the CA certificate(s) that correspond to the Certificate for SAML used in Step 5.
  16. Ensure to mark the Usage as shown in the image.
  17. Go to System Certificates and import the Certificate and Private key from Step 5. This helps you validate the SAML Response Signature and/or the Encrypted Assertion from RSA. Select SAML and click Submit.
  18. Go to Administration > Identity Management > SAML Id Providers > Choose your SAML Cloud SSO Application > Identity Provider Config. Import the edited Metadata file from Step 14.
  19. Click Save.
  20. Go to the Groups section and set the Groups value as in Step 6. Assign the RBAC based on your you need.
  21. In the SAML Identity Provider section, you can add more attributes if needed but RSA must return them as in Step 6.
  22. In the Advanced Settings section, choose the Identity Attribute you need. For the Multi-value attributes, select “Each value in a separate XML element”.
    Note: You can sign the whole SAML response or only the assertion. You can also accept only Encrypted Assertions.
  23. Click Save.

Configuration is complete.

Return to the main page.

Labels (1)
No ratings
Version history
Last update:
‎2023-04-12 03:30 AM
Updated by:
Article Dashboard