Solved: Cisco ISE multiple portals login via Azure AD SAML

sroic · ‎08-07-2023

Hi,

Is it possible to use Azure AD SAML integration for both sponsor and admin portal on the same ISE deployment (3.2, small HA)?

I managed to set up sponsor portal via AAD SSO and it works great. Then I wanted to use the same feature for admin users but I can't get it to work. It seems they send different attributes/ config not the same. ISE doesn't allow setting up multiple SAML connections to the same AAD tenant so I tried getting it to work on the SAML config which worked for sponsor with some chemistry. I added both entityIDs and replyURLs under the same enterprise application in Azure and while it still works for sponsor it fails for admin login.

I used these guides:

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216129-configure-ise-3-0-sponsor-portal-with-az.html#anc24
https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/217342-configure-ise-3-1-ise-gui-admin-login-fl.html#toc-hId--721937854

Anyone did this before and has some tips or at least a feedback that it's not possible?

Thank you!

Greg Gibbs · ‎08-07-2023

Hi @sroic,

I tested this in my lab and found that I could use the same Enterprise App in Azure for both the Sponsor Portal and Admin GUI. After configuring and verifying the Sponsor Portal against my Azure SAML IdP, I used the following steps to configure the Admin GUI to use the same SAML IdP.

Configure Admin Access to use SAML IdP
Export updated SP info from ISE
Open the updated zip file and open new XML file for ISE Portal
Copy the EntityID and AssertionConsumerService Location from the XML file
Update the AzureAD Enterprise App SAML configuration to add new Entity ID and Reply URL (AssertionConsumerService Location)
Download Federation Metadata XML from Azure
Upload Federation Metadata XML file to ISE
Add new Group assertion to ISE SAML IdP config and map to 'Super Admin' RBAC group

For the last step, I did not have a drop-down list to select the RBAC group so I simply typed in the Super Admin string.

The following are example screenshots from my ISE SAML IdP configuration (Groups, Attributes, Advanced Settings):

If you are still having trouble, you might want to download the SAML Tracer extension for Firefox to examine the SAML communications on the browser.

View solution in original post

Greg Gibbs · ‎08-07-2023

Hi @sroic,

I tested this in my lab and found that I could use the same Enterprise App in Azure for both the Sponsor Portal and Admin GUI. After configuring and verifying the Sponsor Portal against my Azure SAML IdP, I used the following steps to configure the Admin GUI to use the same SAML IdP.

Configure Admin Access to use SAML IdP
Export updated SP info from ISE
Open the updated zip file and open new XML file for ISE Portal
Copy the EntityID and AssertionConsumerService Location from the XML file
Update the AzureAD Enterprise App SAML configuration to add new Entity ID and Reply URL (AssertionConsumerService Location)
Download Federation Metadata XML from Azure
Upload Federation Metadata XML file to ISE
Add new Group assertion to ISE SAML IdP config and map to 'Super Admin' RBAC group

For the last step, I did not have a drop-down list to select the RBAC group so I simply typed in the Super Admin string.

The following are example screenshots from my ISE SAML IdP configuration (Groups, Attributes, Advanced Settings):

If you are still having trouble, you might want to download the SAML Tracer extension for Firefox to examine the SAML communications on the browser.

TedB123 · ‎09-05-2023

@Greg Gibbs wrote:
Hi @sroic,
I tested this in my lab and found that I could use the same Enterprise App in Azure for both the Sponsor Portal and Admin GUI. After configuring and verifying the Sponsor Portal against my Azure SAML IdP, I used the following steps to configure the Admin GUI to use the same SAML IdP.
Configure Admin Access to use SAML IdP
Export updated SP info from ISE
Open the updated zip file and open new XML file for ISE Portal
Copy the EntityID and AssertionConsumerService Location from the XML file
Update the AzureAD Enterprise App SAML configuration to add new Entity ID and Reply URL (AssertionConsumerService Location)
Download Federation Metadata XML from Azure
Upload Federation Metadata XML file to ISE
Add new Group assertion to ISE SAML IdP config and map to 'Super Admin' RBAC group
For the last step, I did not have a drop-down list to select the RBAC group so I simply typed in the Super Admin string.
The following are example screenshots from my ISE SAML IdP configuration (Groups, Attributes, Advanced Settings):
If you are still having trouble, you might want to download the SAML Tracer extension for Firefox to examine the SAML communications on the browser.

your screenshots here helped me get SSO working ... the documentation from cisco about this is just awful.. and that includes the readme file.

as soon as i changed my attributes to match yours SSO worked.

thanks!

sroic · ‎08-08-2023

Hi @Greg Gibbs , thanks for fast and extensive reply.

I tried configuring like you said and I'm getting closer but still getting access denied. Will troubleshoot a bit more, downloaded that extension but didn't figure out yet from the log where is it failing.
Also I saw in your screenshots you configured something under Attributes and Advanced Settings tabs. I didn't see that in the guides but I mirrored yours. You used /name claim which should reference to the UPN in AD. Please let me know if there is something else that needs to be configured there.

Greg Gibbs · ‎08-08-2023

Are you getting a specific error for access denied? Is it an error from the ISE GUI, or from Azure?
If it's an Azure error, it should give a hint about where the problem lies (like the group used for ISE admin is not added to your Enterprise App).

sroic · ‎08-11-2023

Hi, let me give you an update here. After some troubleshooting I managed to find the error in the debug logs. It seems the issue isn't in the group membership as I initially thought but in a secure session validation:

2023-08-11 08:58:41,484 ERROR  [admin-http-pool33][[]] common.rest.client.utility.GenericHTTPMethods -::::- GenericHTTPMethods: Falied to send http POST request javax.net.ssl.SSLHandshakeException: No subject alternative names matching IP address 10.99.100.7 found
2023-08-11 08:58:41,484 ERROR  [admin-http-pool33][[]] cpm.admin.infra.action.LoginAction -::::- LoginAction:: Error getting while validating portal session: 
com.cisco.mnt.common.rest.exception.MnTRESTException: Falied to send http POST request 
...
2023-08-11 08:58:41,488 INFO   [admin-http-pool33][[]] cpm.admin.infra.action.LoginAction -::::- Login action:: Portal session id validation failed, hence SAML Administrator authentication failed
2023-08-11 08:58:41,489 INFO   [admin-http-pool33][[]] cpm.admin.infra.action.LoginActionResultHandler -::::- Redirected to: /admin/login.jsp?mid=access_denied
2023-08-11 08:58:41,489 INFO   [admin-http-pool33][[]] cpm.admin.infra.spring.ISEAdminControllerUtils -::::- Empty or null forwardStr for: https://10.99.100.7/admin/LoginAction.do
2023-08-11 08:58:42,736 INFO   [admin-http-pool33][[]] cpm.admin.infra.spring.ISEAdminControllerUtils -::::- mapping path found in action-forwards, forwarding to: /pages/extIDSrcJsonResponse.jsp
2023-08-11 08:58:42,742 INFO   [admin-http-pool39][[]] cpm.admin.infra.action.AdminAuthenticationAction -::::- In AdminAuthenticationAction.loadIdentityStores method called
2023-08-11 08:58:42,742 INFO   [admin-http-pool39][[]] cpm.admin.infra.spring.ISEAdminControllerUtils -::::- mapping path found in action-forwards, forwarding to: /pages/extIDSrcJsonResponse.jsp

I was connecting to ISE by IP address and considering the auth is done between browser and AAD it was using that IP for validation (at least that's what I understood). I tried to connect via FQDN and as soon as I try to login with SAML I get insecure connection error from Firefox which points out it's serving the wrong cert.

This issue must be inherited by previous state of our ISE which was acting very buggy and serving wrong certs for sponsor/guest/admin portals, we had several TAC cases open and managed to somehow get them all right but this one was stuck on the old cert.

After some fiddling I managed to sort it out and it started working.

Also one thing to add, I had multiple groups attached to the enterprise app in Azure and was referencing them in ISE "Name in Assertion" as planned. But I noticed even if I remove the group I'm referencing there from the assigned groups in AAD the auth was still working. On SSO AAD config I have it like in the guide with added claim for groups and chosen security groups to return in the claim. Also I seen in debug logs that for my user all the groups where I'm a member are sent to ISE in SAML response so I would say adding group on AAD side isn't needed at all if your assertion matches the group your user is in.
Anyway, thanks again for the help, the issue is solved

PhilippeGeysens7513 · ‎05-08-2024

Hello there,

I did try to implement your solution but without any luck.

As I understood it correctly, you are using 1 app to provide access to both the sponsor portal and the admin login. How do you set different user groups for both permissions? How does ISE now in your case not to use the Super Admin group for the sponsor portal? I'm trying to use the same saml connection for 2 portals & the admin access but so far I only managed to get it working on my sponsor portal.

Is there any other documentation available that I've looked over maybe?

Greg Gibbs · ‎05-08-2024

See another example here of how to configure the App Registration in Entra ID when using multiple portals.
Azure AD SSO with multiple ISE Portals

In Entra ID, the different admin users would need to be members of unique groups. Those groups be configured in ISE to match the group ID (Name in Assertion) to a group name defined in ISE. That group name in ISE would then be mapped to the appropriate Sponsor Group, Admin Group, etc.

PhilippeGeysens7513 · ‎05-28-2024

I will have a look into this, thanks a lot for your help Greg!