This document describes how to configure a PingFederate SAML server with Cisco Identity Services Engine(ISE) 2.1 to provide Single Sign On(SSO) capabilities to Sponsor users.
Cisco recommends that you have knowledge of these topics:
The information in this document is based on these software and hardware versions:
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any commands.
Refer to the Cisco Technical Tips Conventions for more information on document conventions
The Security Assertion Markup Language (SAML) is an XML-based standard for exchanging authentication and authorization data between security domains.
SAML specification defines three roles: the Principal (Sponsor user), the Identity Provider (IdP) (Ping Federate server), and the Service Provider (SP) (ISE). In a typical SAML SSO flow, the SP requests and obtains an identity assertion from the IdP. Based on this result, ISE can perform policy decisions as the IdP can include configurable attributes that ISE can use during policy decisions. Once the initial authentication occurs, the user should not be prompted for credentials again to access the service as long as the assertion session is still active on the IdP.
This is the expected flow for this use case:
The following section will discuss the configuration steps to integrate ISE with Ping Federate and how to enable browser SSO for the Sponsor Portal.
Note:Although various options and possibilities exist when you authenticate sponsor users, not all combinations are described in this document. However, this example provides you with the information necessary to understand how to modify the example to the precise configuration you want to achieve.
5. Verify that the flow diagram represents the following and click Save:
3. Save and extract the zip file generated. The XML file contained here will be used while creating the profile in PingFederate.
4. Open PingFederate admin portal (typically https://ip:9999/pingfederate/app ).
5. Under IDP Configuration tab > SP Connections section select Create New.
6. Under Connection Type click Next
7. Under Connection Options click Next
8. Under Import Metadata, select File, Chose file and select the XML file previously exported from ISE.
9. Under Metadata Summary, click on Next.
10. On General Information Page, under Connection Name enter a name ( ie. ISEsponsorPortal) and click Next.
11. Under Browser SSO click Configure Browser SSO and under SAML Profiles check these options and click Next:
12. On Assertion Lifetime click Next
13. On Assertion Creation click Configure Assertion Creation
14. Under Identity Mapping select Standard and click Next
15. On Attribute Contract > Extend the Contract enter the attributes mail and memberOf and click add. Then click Next.
Note:This is a critical step as ISE relies on these attributes for the correct sponsor group mapping and also email is necessary for correct notification functions.
16. Under Authentication Source Mapping click Map New Adapter Instance.
17. On Adapter Instance select HTML Form Adapter. Click Next.
18. Under Mapping Method select the second option and click Next
19. On Attribute Sources & User Lookup click Add Attribute Source box.
20. Under Data Store enter a description, then select from Active Data Store your LDAP connection instance and define what type of Directory Service this is. If there are no Data Stores configured yet click on Manage Data Stores to add the new instance.
21. Under LDAP Directory Search define the Base DN for LDAP user Lookup in the domain and click Next.
Note:This is important as it will define the base DN during the LDAP user lookup. Incorrectly defined Base DN will result in an error "Object Not found in LDAP schema".
22. Under LDAP Filter add the string sAMAccountName=${username} and click Next.
23. Under Attribute Contract Fulfillment select these options and click Next
24. Verify the configuration at the Summary section and click Done.
25. Back in Attribute Sources & User lookup click Next.
26. Under Failsafe Attribute Source click Next.
27. Under Attribute Contract Fulfillment select these options and click Next:
27. Verify the configuration in Summary section and click Done.
28. Back on Authentication Source Mapping click Next.
29. Once configuration has been verified under the Summary section click Done.
30. Back on Assertion Creation click Next.
31. Under Protocol Settings click Configure Protocol Settings.
At this point there should be 3 entries already populated. Click Next
32. Under SLO Service URLs click Next
33. On Allowable SAML Bindings uncheck the options ARTIFACT and SOAP and click Next.
34. Under Signature Policy click Next.
35. Under Encryption Policy click Next.
36. Review the configuration in the Summary page and click Done.
37. Back on Browser SSO > Protocol settings click Next, validate the configuration and click Done. This will bring back the Browser SSO tab. Click Next.
38. Under Credentials click Configure Credentials and choose the signing certificate to be used during IdP to ISE communications and check the option Include the certificate in the signature. Then click Next.
Note: If there are no certificates configured, click Manage Certificates and follow the prompts to generate a Self-signed certificate to be used to sign IdP to ISE communications.
39. Validate the configuration under the Summary page and click Done.
40. Back on the Credentials tab click Next.
41. Under Activation & Summary select on Connection Status ACTIVE, validate the rest of the configuration and click Save.
1. Under the PingFederate management console, navigate to Server Configuration > Administrative Functions > Metadata Export If the server has been configured for multiple roles(IdP and SP) select the option I am the Identity Provider(IdP). Click Next
2. Under Metadata mode select “Select Information to Include In Metadata Manually”. Click Next .
3. Under Protocol click Next.
4. On Attribute Contract click Next.
5. Under Signing Key select the certificate previously configured on the connection profile. Click Next.
6. Under Metadata Signing select the signing certificate and check Include this certificate's public key in the key info element. Click Next.
7. Under XML encryption certificate click Next. The option to enforce encryption here is up to the Network Admin.
8. Under Summary section click Export Save the Metadata file generated and then click Done.
9. Under ISE, Navigate to Administration > Identity Management > External Identity Sources > SAML Id Providers > PingFederate.
10. Click on Identity Provider Config >Click Browse and proceed to import the metadata saved from Pingfederate Metadata Export operation.
11. Select Groups Tab and under Group Membership Attribute add memberOf and then click add
12. Under the Name in Assertion add the Distinguished Name that the IdP should be returning back when the memberOf attribute is retrieved form LDAP authentication.This group will be linked to the sponsor group.
Once you add the DN and “Name in ISE” description click OK.
13. Select Attributes tab and click Add. At this step we will add the attribute “mail”. This is contained in the SAML authentication; result passed from the IdP(Based on email attribute for that user object in Active Directory).
Note: This step is important as ISE should be able to process the email linked to the Sponsor's session to be able to map any accounts in pending status from self-registered flows. Otherwise the accounts will remain in a limbo state as the "person being visited" email will not be mapped to a valid Sponsor session. It is also important for email notification proposes.
14. Under Advanced Tab select the following settings:
Note: This section will instruct ISE to include the email attribute in logout requests to the ldP server. This is important when the Sponsor User manually logs off from the portal.
15. Click Save.
16. In this step the administrator will map the Active Directory Group retrieved by the IdP to a Sponsor group. Navigate to Work Centers > Guest Access > Configure > Sponsor Groups > ALL_ACCOUNTS ( Or select the appropriate group). Click Members and select the PingFederate:Group we mapped in previous steps and add it to the Selected User Groups column. Then Click OK.
17. When Self Registered flow is configured, the accounts will be pending approval. In this case, select "Approve and view requests from self-registered guests” and select “Only pending accounts assigned to this sponsor” as an easy way to verify the Object Email address is AD and transferred to the Sponsor Identity in ISE through the IdP server using the Mail attribute.
18. Click Save. This finishes the configuration in ISE.
2. Enter Active Directory credentials and hit Sign On. IdP logon screen will redirect the user to the initial AUP on ISE’s Sponsor Portal.
At this point the Sponsor User should have full access to the portal.
3. Verify Single Sign On. When the “Portal test URL” feature is used ISE should ask for Sponsor credentials every time if SSO is not configured.
Launch the Sponsor Portal with Portal test URL link. ISE Sponsor URL will quickly switch to the IdP URL to verify session status and once the session token is confirmed the client is redirected back to the Sponsor Portal without the need of entering credentials.
4. Verify that the email attribute is passed correctly from Active Directory Object to IdP to ISE. The easiest way to test is by creating a new account in the Sponsor Portal and selecting the Notify Option. If the email is retrieved correctly it will appear under Sponsor's email address field.
5. Verify Logout function. This is crucial in the integration to verify that the sponsor logout triggers the Token Session to be terminated on the Identity Server side. Sign out from the Sponsor Portal and make sure that the next time the user tries to access the sponsor portal, it will be redirected back to the IdP authentication screen.
Any SAML authentication transaction will be logged in ISE side under ise-psc.log. There is a dedicated component (SAML) under Administration > Logging > Debug Log Configuration > Select the node in question > Set SAML component to debug level.
We can access ISE through CLI and issue a “show logging application ise-psc.log tail” and monitor the SAML events live, or we can download ise-psc.log for further analysis under Operations > Troubleshoot > Download Logs > Select the ISE node > Debug Logs tab > click ise-psc.log to download the logs.
Typically the Initial authentication log will look like this:
2016-06-13 10:18:58,560 DEBUG [http-bio-14.36.157.210-8443-exec-7][] cpm.saml.framework.impl.SAMLFacadeImpl -::::- SAML request - spUrlToReturnTo:https://torsponsor21.rtpaaa.net:8443/sponsorportal/SSOLoginResponse.action 2016-06-13 08:39:36,925 DEBUG [http-bio-14.36.157.210-8443-exec-7][] cpm.saml.framework.impl.SAMLFacadeImpl -::::- SAML Response: statusCode:urn:oasis:names:tc:SAML:2.0:status:Success 2016-06-13 08:39:36,925 DEBUG [http-bio-14.36.157.210-8443-exec-7][] cpm.saml.framework.impl.SAMLAttributesParser -::::- [parseAttributes] Found attribute name : mail 2016-06-13 08:39:36,925 DEBUG [http-bio-14.36.157.210-8443-exec-7][] cpm.saml.framework.impl.SAMLAttributesParser -::::- [parseAttributes] Delimeter not configured, Attribute=<mail> add value=<antontor@rtpaaa.net> 2016-06-13 08:39:36,925 DEBUG [http-bio-14.36.157.210-8443-exec-7][] cpm.saml.framework.impl.SAMLAttributesParser -::::- [parseAttributes] Found attribute name : memberOf 2016-06-13 08:39:36,925 DEBUG [http-bio-14.36.157.210-8443-exec-7][] cpm.saml.framework.impl.SAMLAttributesParser -::::- [parseAttributes] Delimeter not configured, Attribute=<memberOf> add value=<CN=TOR,DC=rtpaaa,DC=net>
After initial login event, each time the user accesses the sponsor portal we’ll see ISE retrieving the assertion information to verify that token is still active. The result should look like this:
2016-06-13 08:49:28,638 DEBUG [http-bio-14.36.157.210-8443-exec-4][] cpm.saml.framework.validators.WebSSOResponseValidator -::::- Validating response 2016-06-13 08:49:28,638 DEBUG [http-bio-14.36.157.210-8443-exec-4][] cpm.saml.framework.validators.WebSSOResponseValidator -::::- Validating assertion 2016-06-13 08:49:28,638 DEBUG [http-bio-14.36.157.210-8443-exec-4][] cpm.saml.framework.validators.AssertionValidator -::::- Assertion issuer succesfully validated 2016-06-13 08:49:28,638 DEBUG [http-bio-14.36.157.210-8443-exec-4][] cpm.saml.framework.validators.AssertionValidator -::::- Authentication statements succesfully validated 2016-06-13 08:49:28,638 DEBUG [http-bio-14.36.157.210-8443-exec-4][] cpm.saml.framework.validators.AssertionValidator -::::- Subject succesfully validated 2016-06-13 08:49:28,638 DEBUG [http-bio-14.36.157.210-8443-exec-4][] cpm.saml.framework.validators.AssertionValidator -::::- Conditions succesfully validated 2016-06-13 08:49:28,638 DEBUG [http-bio-14.36.157.210-8443-exec-4][] cpm.saml.framework.impl.SAMLFacadeImpl -::::- SAML Response: validation succeeded for sponsor 2016-06-13 08:49:28,638 DEBUG [http-bio-14.36.157.210-8443-exec-4][] cpm.saml.framework.impl.SAMLFacadeImpl -::::- SAML Response: found signature on the assertion
Release Notes for Cisco Identity Services Engine, Release 2.1
Cisco Identity Services Engine Administrator Guide, Release 2.1