Configure ISE 2.1 Sponsor Portal with PingFederate SAML SSO

This document describes how to configure a PingFederate SAML server with Cisco Identity Services Engine(ISE) 2.1 to provide Single Sign On(SSO) capabilities to Sponsor users.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

Cisco Identity Services Engine guest services.
Basic knowledge about SAML SSO deployments.

Components Used

The information in this document is based on these software and hardware versions:

Cisco Identity Services Engine version 2.1
PingFederate 8.1.3.0 server from Ping Identity.
Windows Server 2012 R2 with Active Directory Services.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any commands.

Conventions

Refer to the Cisco Technical Tips Conventions for more information on document conventions

Flow Overview

The Security Assertion Markup Language (SAML) is an XML-based standard for exchanging authentication and authorization data between security domains.

SAML specification defines three roles: the Principal (Sponsor user), the Identity Provider (IdP) (Ping Federate server), and the Service Provider (SP) (ISE). In a typical SAML SSO flow, the SP requests and obtains an identity assertion from the IdP. Based on this result, ISE can perform policy decisions as the IdP can include configurable attributes that ISE can use during policy decisions. Once the initial authentication occurs, the user should not be prompted for credentials again to access the service as long as the assertion session is still active on the IdP.

This is the expected flow for this use case:

The user attempts to Login to the Sponsor Portal by launching the configured Sponsor Portal's custom fully qualified domain name (FQDN).
ISE verifies if there is an active assertion associated to this client’s browser session by issuing a quick redirect to the IdP. If there are no active sessions, the IdP will enforce the user login.
The IdP authenticates the User via LDAP and passes memberOf and email attributes to ISE(SP).
ISE processes the IdP XML response and based on memberOf attribute and on the sponsor groups configuration the user will be permitted or rejected (Group Membership condition check to match a configured Sponsor Group).
Session time to live will vary on each solution. In this use case, Ping Federate will be configured with a Session Timeout of 60 mins (if there are no SSO login requests from ISE in 60 mins after the initial authentication, the session is deleted) and a Session Max Timeout of 480 mins (Even if the IdP has been receiving constant SSO login requests from ISE for this user the session will expire in 8 hours). Once the session times out, a new user authentication is enforced by the IdP.
While the session is still active, the sponsor user should be able to close the browser and comeback to the portal without entering credentials.

Configure

The following section will discuss the configuration steps to integrate ISE with Ping Federate and how to enable browser SSO for the Sponsor Portal.

Note:Although various options and possibilities exist when you authenticate sponsor users, not all combinations are described in this document. However, this example provides you with the information necessary to understand how to modify the example to the precise configuration you want to achieve.

Step 1. Prepare ISE to use an external SAML Identity Provider

On Cisco ISE, navigate to Administration > Identity Management > External Identity Sources > SAML Id Providers.
Click Add
Under the General Tab, enter an Id Provider name and click Save. The rest of the configuration in this section will depend on metadata that needs to be imported from the IdP.

Step 2. Configure the Sponsor Portal to use an External Identity Provider

Navigate to Work Centers > Guest Access > Configure > Sponsor Portals
Click on Sponsor Portal (default) or create a new portal.
Under Portal Settings enter a custom fully qualified domain name (FQDN) linked to this Sponsor Portal.
Select from Identity Source Sequence the External SAML IdP previously defined.

5. Verify that the flow diagram represents the following and click Save:

Step 3. Configure PingFederate as an IdP to handle ISE Authentication Requests

Navigate to ISE Administration > Identity Management > External Identity Sources > SAML Id Providers > PingFederate
Click Service Provider Info tab and click Export

3. Save and extract the zip file generated. The XML file contained here will be used while creating the profile in PingFederate.

4. Open PingFederate admin portal (typically https://ip:9999/pingfederate/app ).

5. Under IDP Configuration tab > SP Connections section select Create New.

6. Under Connection Type click Next

7. Under Connection Options click Next

8. Under Import Metadata, select File, Chose file and select the XML file previously exported from ISE.

9. Under Metadata Summary, click on Next.

10. On General Information Page, under Connection Name enter a name ( ie. ISEsponsorPortal) and click Next.

11. Under Browser SSO click Configure Browser SSO and under SAML Profiles check these options and click Next:

12. On Assertion Lifetime click Next

13. On Assertion Creation click Configure Assertion Creation

14. Under Identity Mapping select Standard and click Next

15. On Attribute Contract > Extend the Contract enter the attributes mail and memberOf and click add. Then click Next.

Note:This is a critical step as ISE relies on these attributes for the correct sponsor group mapping and also email is necessary for correct notification functions.

16. Under Authentication Source Mapping click Map New Adapter Instance.

17. On Adapter Instance select HTML Form Adapter. Click Next.

18. Under Mapping Method select the second option and click Next

19. On Attribute Sources & User Lookup click Add Attribute Source box.

20. Under Data Store enter a description, then select from Active Data Store your LDAP connection instance and define what type of Directory Service this is. If there are no Data Stores configured yet click on Manage Data Stores to add the new instance.

21. Under LDAP Directory Search define the Base DN for LDAP user Lookup in the domain and click Next.

Note:This is important as it will define the base DN during the LDAP user lookup. Incorrectly defined Base DN will result in an error "Object Not found in LDAP schema".

22. Under LDAP Filter add the string sAMAccountName=${username} and click Next.

23. Under Attribute Contract Fulfillment select these options and click Next

24. Verify the configuration at the Summary section and click Done.

25. Back in Attribute Sources & User lookup click Next.

26. Under Failsafe Attribute Source click Next.

27. Under Attribute Contract Fulfillment select these options and click Next:

27. Verify the configuration in Summary section and click Done.

28. Back on Authentication Source Mapping click Next.

29. Once configuration has been verified under the Summary section click Done.

30. Back on Assertion Creation click Next.

31. Under Protocol Settings click Configure Protocol Settings.

At this point there should be 3 entries already populated. Click Next

32. Under SLO Service URLs click Next

33. On Allowable SAML Bindings uncheck the options ARTIFACT and SOAP and click Next.

34. Under Signature Policy click Next.

35. Under Encryption Policy click Next.

36. Review the configuration in the Summary page and click Done.

37. Back on Browser SSO > Protocol settings click Next, validate the configuration and click Done. This will bring back the Browser SSO tab. Click Next.

38. Under Credentials click Configure Credentials and choose the signing certificate to be used during IdP to ISE communications and check the option Include the certificate in the signature. Then click Next.

Note: If there are no certificates configured, click Manage Certificates and follow the prompts to generate a Self-signed certificate to be used to sign IdP to ISE communications.

39. Validate the configuration under the Summary page and click Done.

40. Back on the Credentials tab click Next.

41. Under Activation & Summary select on Connection Status ACTIVE, validate the rest of the configuration and click Save.

Step 4. Import IdP Metadata into ISE External SAML IdP Provider Profile

1. Under the PingFederate management console, navigate to Server Configuration > Administrative Functions > Metadata Export If the server has been configured for multiple roles(IdP and SP) select the option I am the Identity Provider(IdP). Click Next

2. Under Metadata mode select “Select Information to Include In Metadata Manually”. Click Next .

3. Under Protocol click Next.

4. On Attribute Contract click Next.

5. Under Signing Key select the certificate previously configured on the connection profile. Click Next.

6. Under Metadata Signing select the signing certificate and check Include this certificate's public key in the key info element. Click Next.

7. Under XML encryption certificate click Next. The option to enforce encryption here is up to the Network Admin.

8. Under Summary section click Export Save the Metadata file generated and then click Done.

9. Under ISE, Navigate to Administration > Identity Management > External Identity Sources > SAML Id Providers > PingFederate.

10. Click on Identity Provider Config >Click Browse and proceed to import the metadata saved from Pingfederate Metadata Export operation.

11. Select Groups Tab and under Group Membership Attribute add memberOf and then click add

12. Under the Name in Assertion add the Distinguished Name that the IdP should be returning back when the memberOf attribute is retrieved form LDAP authentication.This group will be linked to the sponsor group.

Once you add the DN and “Name in ISE” description click OK.

13. Select Attributes tab and click Add. At this step we will add the attribute “mail”. This is contained in the SAML authentication; result passed from the IdP(Based on email attribute for that user object in Active Directory).

Note: This step is important as ISE should be able to process the email linked to the Sponsor's session to be able to map any accounts in pending status from self-registered flows. Otherwise the accounts will remain in a limbo state as the "person being visited" email will not be mapped to a valid Sponsor session. It is also important for email notification proposes.

14. Under Advanced Tab select the following settings:

Note: This section will instruct ISE to include the email attribute in logout requests to the ldP server. This is important when the Sponsor User manually logs off from the portal.

15. Click Save.

16. In this step the administrator will map the Active Directory Group retrieved by the IdP to a Sponsor group. Navigate to Work Centers > Guest Access > Configure > Sponsor Groups > ALL_ACCOUNTS ( Or select the appropriate group). Click Members and select the PingFederate:Group we mapped in previous steps and add it to the Selected User Groups column. Then Click OK.

17. When Self Registered flow is configured, the accounts will be pending approval. In this case, select "Approve and view requests from self-registered guests” and select “Only pending accounts assigned to this sponsor” as an easy way to verify the Object Email address is AD and transferred to the Sponsor Identity in ISE through the IdP server using the Mail attribute.

18. Click Save. This finishes the configuration in ISE.

Verify

Launch the sponsor portal using the configured custom FQDN. ISE should redirect the user to PingFederate user authentication portal.

2. Enter Active Directory credentials and hit Sign On. IdP logon screen will redirect the user to the initial AUP on ISE’s Sponsor Portal.

At this point the Sponsor User should have full access to the portal.

3. Verify Single Sign On. When the “Portal test URL” feature is used ISE should ask for Sponsor credentials every time if SSO is not configured.

Launch the Sponsor Portal with Portal test URL link. ISE Sponsor URL will quickly switch to the IdP URL to verify session status and once the session token is confirmed the client is redirected back to the Sponsor Portal without the need of entering credentials.

4. Verify that the email attribute is passed correctly from Active Directory Object to IdP to ISE. The easiest way to test is by creating a new account in the Sponsor Portal and selecting the Notify Option. If the email is retrieved correctly it will appear under Sponsor's email address field.

5. Verify Logout function. This is crucial in the integration to verify that the sponsor logout triggers the Token Session to be terminated on the Identity Server side. Sign out from the Sponsor Portal and make sure that the next time the user tries to access the sponsor portal, it will be redirected back to the IdP authentication screen.

Troubleshoot

Any SAML authentication transaction will be logged in ISE side under ise-psc.log. There is a dedicated component (SAML) under Administration > Logging > Debug Log Configuration > Select the node in question > Set SAML component to debug level.

We can access ISE through CLI and issue a “show logging application ise-psc.log tail” and monitor the SAML events live, or we can download ise-psc.log for further analysis under Operations > Troubleshoot > Download Logs > Select the ISE node > Debug Logs tab > click ise-psc.log to download the logs.

Typically the Initial authentication log will look like this:

2016-06-13 10:18:58,560 DEBUG  [http-bio-14.36.157.210-8443-exec-7][] cpm.saml.framework.impl.SAMLFacadeImpl -::::- SAML request - spUrlToReturnTo:https://torsponsor21.rtpaaa.net:8443/sponsorportal/SSOLoginResponse.action

2016-06-13 08:39:36,925 DEBUG  [http-bio-14.36.157.210-8443-exec-7][] cpm.saml.framework.impl.SAMLFacadeImpl -::::- SAML Response: statusCode:urn:oasis:names:tc:SAML:2.0:status:Success

2016-06-13 08:39:36,925 DEBUG  [http-bio-14.36.157.210-8443-exec-7][] cpm.saml.framework.impl.SAMLAttributesParser -::::- [parseAttributes] Found attribute name : mail
2016-06-13 08:39:36,925 DEBUG  [http-bio-14.36.157.210-8443-exec-7][] cpm.saml.framework.impl.SAMLAttributesParser -::::- [parseAttributes] Delimeter not configured, Attribute=<mail> add value=<antontor@rtpaaa.net>


2016-06-13 08:39:36,925 DEBUG  [http-bio-14.36.157.210-8443-exec-7][] cpm.saml.framework.impl.SAMLAttributesParser -::::- [parseAttributes] Found attribute name : memberOf
2016-06-13 08:39:36,925 DEBUG  [http-bio-14.36.157.210-8443-exec-7][] cpm.saml.framework.impl.SAMLAttributesParser -::::- [parseAttributes] Delimeter not configured, Attribute=<memberOf> add value=<CN=TOR,DC=rtpaaa,DC=net>

After initial login event, each time the user accesses the sponsor portal we’ll see ISE retrieving the assertion information to verify that token is still active. The result should look like this:

2016-06-13 08:49:28,638 DEBUG  [http-bio-14.36.157.210-8443-exec-4][] cpm.saml.framework.validators.WebSSOResponseValidator -::::- Validating response
2016-06-13 08:49:28,638 DEBUG  [http-bio-14.36.157.210-8443-exec-4][] cpm.saml.framework.validators.WebSSOResponseValidator -::::- Validating assertion
2016-06-13 08:49:28,638 DEBUG  [http-bio-14.36.157.210-8443-exec-4][] cpm.saml.framework.validators.AssertionValidator -::::- Assertion issuer succesfully validated
2016-06-13 08:49:28,638 DEBUG  [http-bio-14.36.157.210-8443-exec-4][] cpm.saml.framework.validators.AssertionValidator -::::- Authentication statements succesfully validated
2016-06-13 08:49:28,638 DEBUG  [http-bio-14.36.157.210-8443-exec-4][] cpm.saml.framework.validators.AssertionValidator -::::- Subject succesfully validated
2016-06-13 08:49:28,638 DEBUG  [http-bio-14.36.157.210-8443-exec-4][] cpm.saml.framework.validators.AssertionValidator -::::- Conditions succesfully validated
2016-06-13 08:49:28,638 DEBUG  [http-bio-14.36.157.210-8443-exec-4][] cpm.saml.framework.impl.SAMLFacadeImpl -::::- SAML Response: validation succeeded for sponsor
2016-06-13 08:49:28,638 DEBUG  [http-bio-14.36.157.210-8443-exec-4][] cpm.saml.framework.impl.SAMLFacadeImpl -::::- SAML Response: found signature on the assertion