Configure Single Sign-On

Table 1. Feature History
Feature Name	Release Information	Description
Single Sign-On Using Azure Active Directory (AD)	Cisco vManage Release 20.8.1	This feature adds support for Azure Active Directory (AD) as an external identity provider (IdP) for single sign-on of Cisco vManage users. You can configure Azure AD as an external IdP using Cisco vManage and the Azure AD administration portal.
Configure Multiple IdPs for Single Sign-On Users of Cisco vManage	Cisco vManage Release 20.10.1	With this feature, you can configure up to three IdPs for providing different levels of access for single sign-on users of Cisco vManage.

Information About Single Sign-On

This chapter describes how to configure single sign-on (SSO) for Cisco SD-WAN. Cisco SD-WAN supports SSO for the following identity providers (IdPs):

Okta
Active Directory Federation Services (ADFS)
PingID
Azure Active Directory (AD)

Note

For Cisco vManage 20.3.x release and later, use IdP SAML metadata with 2048-bit key signature certificate for SSO authentication because metadata with 1024-bit key signature certificate is not supported.

Network administrators must access different websites or applications to carry out their operations. To access these websites or applications, they must have multiple sets of credentials for each website or application. There's a possibility that they have forgotten their credentials, or someone has stolen them. With the help of the single sign-on (SSO) technique, network administrators can now have a secured access to multiple applications or websites with only one set of credentials.

For the SSO to work, we mainly require three components:

Identity provider (IdP): This system stores user data, maintains and supports the authentication mechanism, for example, Okta, ADFS, PingID, and Azure AD.
Service provider: This system hosts the website or application of interest, for example, Cisco vManage.
Users: People with a registered account with the IdP and the service provider.

To integrate IdPs with service providers, the SSO uses security assertion mark-up language (SAML). SAML is an XML-based communication standard that allows you to share identities among multiple organizations and applications.

The following steps describe the intergration of IdPs with service providers:

Whenever a network administrator tries to log in to a service provider using an IdP, the service provider first sends an encrypted message to the IdP.
The IdP decrypts the message and validates the credentials of the network administrator by comparing the information with the IdP's database.
After the validation, the IdP sends an encrypted message to the service provider. The service provider decrypts the message from the IdP, and the administrator is allowed to access the service provider.
In general, IdP and service provider exchange information based on predefined standards. This standard is a set of certificates called SAML.

After completing the above process, the administrator is redirected to the IdP portal. The administrator must enter IdP credentials to log in to Cisco vManage.

Note

The privileges for a particular administrator are provided based on the information available about that administrator in the IdP's database.

Benefits of Single Sign-On

With a properly deployed SSO solution, you can do the following:

Eliminate weak passwords for each cloud application
Streamline the secured access process
Provide one-click access to cloud applications

Prerequisites for Single Sign-On

In Cisco vManage, ensure that the identity provider settings (Administration Settings > Identity Provider Settings) are set to Enabled.

For more information on enabling identiy provider, see Enable an Identity Provider in Cisco vManage.
Availability of SAML metadata files for configuring IdP and service provider.
Cisco vManage requires access to an internet connection that doesn’t have a firewall restriction for Cisco vManage to reach the SSO.

Configure Single Sign-On Using Okta

Okta provides a secure identity management service that lets you connect any person with any application on any device using single sign-on (SSO).

Note

Beginning with Cisco vManage Release 20.3.1, Cisco vManage no longer supports MD5 or SHA-1. All x.509 certificates handled by Cisco vManage need to use at least SHA-256 or a higher encryption algorithm.

Perform the following procedures to configure SSO.

Enable an Identity Provider in Cisco vManage

To configure Okta SSO, use Cisco vManage to enable an identity provider and generate a Security Assertion Markup Language (SAML) metadata file.

From Cisco vManage Release 20.10.1, you can use Add New IDP Settings to configure up to three IdPs. For more information on integrating with multiple IdPs, see the chapter Configure Multiple IdPs.

From the Cisco vManage menu, choose Administration > Settings.
Click Identity Provider Settings and then click Edit.
Click Enabled.
Click Click here to download the SAML metadata and save the contents in a text file. This data is used for configuring Okta.

From the metadata that is displayed, make a note of the following information that you need for configuring Okta with Cisco vManage:

Entity ID
Signing certificate
Encryption certificate
Logout URL
Login URL

Note

Administrators can set up SSO using a single Entity ID only. Cisco vManage doesn't support more than one Entity ID while setting up SSO.

In the Upload Identity Provider Metadata section, click Select a File to upload the IdP metadata file.
Click Save.

Configure SSO on the Okta Website

Note

This procedure involves a third-party website. The details are subject to change.

To configure SSO on the Okta website:

Note

Each IdP application gets a customized URL from Okta for logging in to the Okta website.

Create a username using your email address.
To add Cisco vManage as an SSO application, from the Cisco vManage menu, click Admin.
Check the upper-left corner to ensure that it shows the Classic UI view on Okta.
If it shows Developer Console, click the down triangle to choose the Classic UI.
Click Add Application under Shortcuts to the right to go to the next window, and then click Create New Application on the pop-up window.
Choose Web for the platform, and choose SAML 2.0 as the Sign on Method.
Click Create.
Enter a string as Application name.
(Optional): Upload a logo, and then click Next.
On the SAML Settings for Single sign on URL section, set the value to the samlLoginResponse URL from the downloaded metadata from Cisco vManage.
Check the Use this for Recipient URL and Destination URL check box.
Copy the entityID string and paste it in the Audience URI (SP Entity ID) field.

The value can be an IP address or the name of the Cisco vManage site.
For Default RelayState, leave empty.
For Name ID format, choose EmailAddress.
For Application username, choose Okta username.

For Show Advanced Settings, enter the fields as indicated below.

Table 2. Fields for Show Advanced Settings
Component	Value	Configuration
Response	Signed	Not applicable
Assertion Signature	Signed	Not applicable
Signature Algorithm	RSA-SHA256	Not applicable
Digest Algorithm	SHA256	Not applicable
Assertion Encryption	Encrypted	Not applicable
Encryption Algorithm	AES256-CBC	Not applicable
Key Transport Algorithm	RSA-OAEP	Not applicable
Encryption Certificate	Not applicable	Copy the encryption certificate from the metadata you downloaded. Go to www.samltool.com and click X.509 CERTS, paste there. Click Format X.509 Certificate. Ensure to remove the last empty line and then save the output (X.509.cert with header) into a text file encryption.cer. Upload the file. Mozilla Firefox may not allow you to do the upload. Instead, you can use Google Chrome. You should see the certificate information after uploading to Okta.
Enable Single Logout		Ensure that this is checked.
Single Logout URL		Get from the metadata.
Service provider Issuer		Use the entityID from the metadata.
Signature Certificate		Obtain from the metadata. Format the signature certificate using www.samltool.com as described. Save to a file, for example, signing.cer and upload.
Authentication context class	X.509 Certificate	Not applicable
Honor Force Authentication	Yes	Not applicable
SAML issuer ID string	SAML issuer ID string	Not applicable
Attribute Statements	Field: Name	Value: `Username`
	Field: Name format (optional)	Value: Unspecified
	Field: Value	Value: `user.login`
Group Attribute Statements	Field: Name	Value: Groups
	Field: Name format (optional)	Value: Unspecified
	Field: Matches regex	Value: .*

Note

It is mandatory to use the two strings, Username and Groups, exactly as shown above. Otherwise, you may be logged in with the default group of Basic.

Click Next.
For Application Type, check This is an internal app that we have created (optional).
Click Finish. This brings you to the Okta application window.
Click View Setup Instructions.
Copy the IdP metadata.
In Cisco vManage, navigate to Identity Provider Settings > Upload Identity Provider Metadata, paste the IdP metadata, and click Save.
In addition to copy-and-pasting the contents of a file with IdP metadata, you can also upload a file directly using the Select a file option.

Assign Users to the Application on the Okta Website

Note

This procedure involves a third-party website. The details are subject to change.

To assign users to the application on the Okta website:

On the Okta application window, navigate to Assignments > People > Assign.
Choose Assign to people from the drop-down menu.
Click Assign next to the user(s) you chose and click Done.
To add a user, click Directory > Add Person.
Click Save.

Configure SSO for Active Directory Federation Services (ADFS)

This section describes how to use Cisco vManage and ADFS to configure SSO.

The configuration of Cisco vManage to use ADFS as an IdP involves two steps:

Step 1 - Import ADFS metadata to Cisco vManage.
Step 2- Export Cisco vManage metadata to ADFS.

Step 2 can be further divided into:

Edit and then import Cisco vManage metadata to ADFS.
Set up ADFS manually using the information from the Cisco vManage metadata.

For more information on configuring ADFS, see Enable an Identity Provider in Cisco vManage. The steps are the same as for configuring Okta as an IdP.

Import Metadata File into ADFS

Note

This procedure involves a third-party website. The details are subject to change.

Step 1 - Import ADFS Metadata to Cisco vManage:

Download the ADFS metadata file, typically from the ADFS URL: https://<your ADFS FQDN or IP>/FederationMetadata/2007-06/FederationMetadata.xml.
Save the file as adfs_metadata.txt.
From the Cisco vManage menu, choose Administration > Settings > Identity Provider Settings > Enable, and then upload adfs_metadata.txt to Cisco vManage.

Step 2 - Export Cisco vManage Metadata to ADFS:
With Identity Provider Settings enabled, Click here to download SAML metadata and save the contents to a file, which is typically 192.168.1.15_saml_metadata.xml.
After the SAML metadata is downloaded, verify that the signing certificate and the signature certificate are the same.
1. If the signing certificate and the signature certificate are the same, proceed to Step 6 to edit the Cisco vManage metadata file.
2. If the signing certificate and the signature certificate are not the same, use the signature certificate for the remaining steps, not the signing certificate.
Edit the Cisco vManage metadata file by deleting everything from <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> to </ds:Signature>.
Edit the Cisco vManage metadata file by deleting everything from <md:KeyDescriptor use="encryption"> to </md:KeyDescriptor>.
Import the new modified Cisco vManage metadata file into ADFS, and enter the entityID as Display Name.
Click Next until the end.
Open Edit Claim Rule, and add the following four new custom rules in the exact sequence:

@RuleName = "sAMAccountName as Username" c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]=> issue(store = "Active Directory", types = ("Username"), query = ";sAMAccountName;{0}", param = c.Value);

@RuleName = "sAMAccountName as NameID" c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"), query = ";sAMAccountName;{0}", param = c.Value);

@RuleName = "Get User Groups and save in temp/variable" c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => add(store = "Active Directory", types = ("http://temp/variable1"), query = ";tokenGroups;{0}", param = c.Value);

@RuleName = "Parse temp/variable1 and Send Groups Membership" c:[Type == "http://temp/variable1", Value =~ "(?i)^SSO-"] => issue(Type = "Groups", Value = RegExReplace(c.Value, "SSO-", ""));
Verify the final result.

In the Active Directory, create the following two security groups: SSO-Netadmin and SSO-Operator.

Note

If you are using different naming convention for the two security groups, then you have to modify the regular expression value "(?i)^SSO-" in the step above.

Any active directory users who are not members of the two groups will only have Basic access to Cisco vManage.

Add ADFS Relying Party Trust

Before you begin

To add an ADFS relying party trust using Cisco vManage:

From the Cisco vManage menu, choose Administration > Settings > Identity Provider Settings > Enable.
Download the ADFS Metadata file, and upload it into Cisco vManage. An example of a URL, https://<your ADFS FQDN or IP>/FederationMetadata/2007-06/FederationMetadata.xml.
Click here to download SAML metadata, and save the contents to a file. An example of a saved file, 192.168.1.15_saml_metadata.xml.
Open the file with an XML editor, and check that the following information is available:
- Entity ID
- Signing certificate
- Login URL
- Logout URL
Navigate to https://www.samltool.com/format_x509cert.php.
For Signing certificate, copy Signing certificate from “metadata” [everything between <ds:X509Certificate> and </ds:X509Certificate>].
Navigate to the www.samltool.com page, click X.509 CERTS > Format X.509 Certificate, and paste the copied content.
Save the output (“X.509 cert with header”) into a text file “Signing.cer”. Remember to remove the last empty line.

Add ADFS Relying Party Trust Manually

Note

This procedure involves a third-party website. The details are subject to change.

To add ADFS relying party trust manually:

Launch AD FS 2.0 Management.
Navigate to Trust Relationships > Relying Party Trusts.
Click Action > Add Relying Party Trust.
Click Start.
Choose Enter data about the relying party manually, and click Next.
Choose Display name and Notes, and then click Next.
Choose AD FS 2.0 profile, and click Next.
Click Next to skip Configure Certificate page.
Click Enable support for the SAML 2.0 Webs So protocol.
Open a text editor, and open the 10.10.10.15_saml_metadata.xml file.
Copy the vale of the Location attribute for AssertionConsumerService, and paste it into the Relying party SAML 2.0 SSO service URL text box.
Click Next.
Copy the value of the entityID attribute, and paste it into the Relying party trust identifiers text box.
Click Add, and click Next.
Click Next to skip to the Configure Multi-factor Authentication Now section.
Choose Permit all users to access this relying party, and click Next.
Click Next to skip to the Ready to Add Trust section.
Click Close.
Open Edit Claim Rules window, and add the following four new custom rules in this order:
- @RuleName = "sAMAccountName as Username" c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]=> issue(store = "Active Directory", types = ("Username"), query = ";sAMAccountName;{0}", param = c.Value);
- @RuleName = "sAMAccountName as NameID" c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"), query = ";sAMAccountName;{0}", param = c.Value);
- @RuleName = "Get User Groups and save in temp/variable" c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => add(store = "Active Directory", types = ("http://temp/variable1"), query = ";tokenGroups;{0}", param = c.Value);
- @RuleName = "Parse temp/variable1 and Send Groups Membership" c:[Type == "http://temp/variable1", Value =~ "(?i)^SSO-"]=> issue(Type = "Groups", Value = RegExReplace(c.Value, "SSO-", ""));
Open the Edit Claim Rules window, and verify that the rules display in Assurance Transform Rules.
Click Finish.
Open the Properties window of the newly created Relying Party Trust, and click Signature.
Click Add, and add the Signing.cer created in Step 6.

In the Active Directory, click General, and enter the following two security groups in the Group name text box:

SSO-Netadmin

SSO-Operator

Note

If you use a different naming convention for the two security groups, then you have to modify the Regular expression value for (?i)^SSO- mentioned in Step 19.

Note

Any active directory user who is NOT a member of these two groups, will only have Basic access to Cisco vManage.

Configure SSO for PingID

Cisco vManage supports PingID as an IdP. PingID is an identity management service for authenticating user identities with applications for SSO.

The configuration of Cisco vManage to use PingID as an IdP involves the following steps:

Import (upload) IdP metadata from PingID to Cisco vManage.
Download the Cisco vManage SAML metadata file to export to PingID.

Prerequisites:

In Cisco vManage, ensure that identity provider settings (Administration Settings > Identity Provider Settings) are set to Enabled.
Download the Cisco vManage SAML metadata file to export to PingID.

For more information on these procedures, see Enable an Identity Provider in Cisco vManage. The steps are the same as for configuring Okta as an IdP.

Perform the following steps for configuring PingID.

Configure SSO on the PingID Administration Portal

Note

This procedure involves a third-party website. The details are subject to change.

To configure PingID:

Log in to the PingID administration portal.
Create a username using your email address.
Click the Applications.
Click Add Application and choose New SAML Application.

In the Application Details section, Application Name, Application Description, and Category are all required fields.

For logos and icons, PNG is the only accepted graphics format.
Click Continue to Next Step.

The Application Configuration section appears.
Make sure that you choose I have the SAML configuration.
Under the You will need to download this SAML metadata to configure the application section, configure the following fields:
1. For Signing Certificate, use the drop-down menu, PingOne Account Origination Certificate.
2. Click Download next to SAML Metadata to save the PingOne IdP metadata into a file.
3. Later, you need to import the PingOne IdP metadata file into Cisco vManage to complete the SSO configuration.
  1. From the Cisco vManage menu, choose Administration > Settings.
  2. Click Identity Provider Settings > Upload Identity Provider Metadata to import the saved PingOne IdP metadata file into Cisco vManage.
  3. Click Save.

Under the Provide SAML details about the application you are connecting to section, configure the following fields:

For Protocol Version, click SAMLv2.0.
On Upload Metadata, click Select File to upload the saved Cisco vManage SAML metadata file to PingID.

PingID should be able to decode the metadata file and fill in the other fields.
Verify that the following fields and values are entered correctly.


Field	Value
Assertion Consumer Service (ACS)	<vManage_URL>/samlLoginResponse
Entity ID	IP address of Cisco vManage
Single Logout Endpoint	<vManage_URL>/samlLogoutResponse
Single Logout Binding Type	Redirect
Primary Verification Certificate	Name of the certificate
Encrypt Assertion	(Optional) If you do not encrypt the assertion, you might be prone to assertion replay attacks and other vulnerabilities.
Encryption Certification	Name of the certificate
Encryption Algorithm	(Optional) AES_256
Transport Algorithm	RSA_OAEP
Signing Algorithm	RSA_SHA256
Force Re-authentication	False

Click Continue to Next Step.
In the SSO Attribute Mapping section, configure the following fields:
1. Click Add new attribute to add the following attributes:
  1. Add Application Attribute as Username.
  2. Set Identity Bridge Attribute or Literal Value Value to Email.
  3. Check the Required box.
  4. Add another Application Attribute as Groups.
  5. Check the Required check box, and then click on Advanced.
  6. In the IDP Attribute Name or Literal Value section, click memberOf, and in Function, click GetLocalPartFromEmail.
2. Click Save.
Click Continue to Next Step to configure the Group Access.
Click Continue to Next Step.
Before clicking Finish, ensure that the settings are all correct.

Configure SSO for IDPs in Cisco vManage Cluster

Create three Cisco vManage single-tenant instances and associated configuration templates. See Deploy Cisco vManage.
Create a Cisco vManage cluster consisting of three Cisco vManage instances. See the Cluster Management chapter in the Cisco SD-WAN Getting Started Guide.
Download SAML metadata based on the IDP from the first Cisco vManage instance, and save it into a file.
Configure SSO for Okta, ADFS, or PingID.
Note and save the SAML response metadata information that you need for configuring Okta, ADFS, or PingID with Cisco vManage.
In the first instance of Cisco vManage, navigate to Administration > Settings > Identity Provider Settings > Upload Identity Provider Metadata, paste the SAML response metadata information, and click Save.

When you log in to the Cisco vManage cluster now, the first instance of Cisco vManage redirects SSO using an IDP. The second and third instances of the cluster also redirect SSO using IDP.

If the first instance of Cisco vManage cluster or the application server isn't available, the second and third instances of the cluster try redirecting SSO using an IDP. However, the SSO login fails for the second and third instances of the Cisco vManage cluster. The only option available for accessing the second and third instances of the Cisco vManage cluster is by using the local device authentication, which is "/login.html".

Configure Single Sign-On Using Azure AD

Minimum supported releases: Cisco IOS XE Release 17.8.1a and Cisco vManage Release 20.8.1

The configuration of Cisco vManage to use Azure AD as an IdP involves the following steps:

Export Cisco vManage metadata to Azure AD. For details, see Export Cisco vManage Metadata to Azure AD
Configure SSO using Azure AD and import Azure AD metadata to Cisco vManage. For details, see Configure Single Sign-On Using Azure AD and Import Azure AD Metadata to Cisco vManage.

Export Cisco vManage Metadata to Azure AD

From the Cisco vManage menu, choose Administration > Settings.
Click Identity Provider Settings and then click Edit.
Click Enabled.
Click Click here to download the SAML metadata and save the contents in a text file.

Configure Single Sign-On Using Azure AD and Import Azure AD Metadata to Cisco vManage

Note

This procedure involves a third-party website. The details are subject to change.

Log in to the Azure AD portal.
Create an enterprise application in Azure services.

An enterprise application integrates Azure AD with Cisco vManage. To create a new application, you must use the Non-gallery application.
Upload the SAML metadata file that you downloaded from Cisco vManage.

Configure the following fields according to the instructions available for the User Attributes & Claims section in the Azure AD portal.

Table 3. Attributes and Claims
Field	Value
Unique User Identifier (Name ID)	user.mail
Groups	netadmin
userprincipalname	user.userprincipalname

Download the federation metadata XML (Azure AD metadata) file.
From the Cisco vManage menu, choose Administration > Settings.
Choose Identity Provider Settings > Upload Identity Provider Metadata to import the saved Azure AD metadata file into Cisco vManage.
Click Save.

Verify Single Sign-On Using Azure AD

Minimum supported releases: Cisco IOS XE Release 17.8.1a and Cisco vManage Release 20.8.1

Log in to the Azure AD portal.
View the log of the authorized SSO logins.

Integrate with Multiple IdPs

The following sections provide information about integrating with multiple IdPs.

Information About Integrating with Multiple IdPs

Minimum supported release: Cisco vManage Release 20.10.1

With this feature, you can now configure more than one IdP per tenant in Cisco vManage. This feature supports both single-tenant and multitenant environments.

You can configure up to three IdPs per tenant and a maximum of three IdPs per the provider.

The following fields are added in Cisco vManage Administration > Settings > Identity Provider Settings for configuring multiple IdPs:

Add New IDP Settings
IDP Name
Domain

You can also edit or delete an IdP name and domain name.

For more information on configuring multiple IdPs, see Configure Multiple IdPs.

Benefits of Integrating with Multiple IdPs

Enables end users to allocate different user access for different functions in the organization
Provides high level of security and meets compliance requirements
Reduces operational costs

Restrictions for Integrating with Multiple IdPs

Minimum supported release: Cisco vManage Release 20.10.1

You can configure only three IdPs in a single-tenant deployment and three IdPs per tenant in a multitenancy deployment.

Use Cases for Integrating with Multiple IdPs

Minimum supported release: Cisco vManage Release 20.10.1

The following are potential use cases for integrating with multiple IdPs:

An end user (tenant) requires different types of user access for employees versus contractors.
An end user requires different types of user access for different functions within the organization.
An end user requires access to the same IdP, but has a different email address.

Configure Multiple IdPs

Minimum supported release: Cisco vManage Release 20.10.1

The following workflow is for configuring multiple IdPs. For more information on enabling an IdP, see Enable an Identity Provider in Cisco vManage.

From the Cisco vManage menu, choose Administration > Settings.
Click Identity Provider Settings and choose Edit.

Click Add New IDP Settings.

Note

After three IdPs are configured, the Add New IDP Settings option is no longer displayed.

Click the toggle button to switch between enabling and disabling IdP settings while retaining the existing configuration.

Click IDP Name and enter a unique name for your IdP.

Examples:

okta
idp1
provider
msp

You can configure a maximum of three IdPs.

Note

You cannot map the same domain to multiple IdPs, but you can use the same IdP for multiple domains.

Click Domain and enter a unique domain name for your IdP, for example, okta.com.

If the domain name already exists, Cisco vManage generates an error message.

Note

You can also add a domain later to an existing IdP.

In the Upload Identity Provider Metadata section, upload the SAML metadata file you downloaded from your IdP.
Click Save.
After you configure a new IdP name, domain, and sign out of your current Cisco vManage session, you are redirected to a unified SAML login page.

In the unified SAML login page, if you require local authentication, remove the login.html portion of the URL. This redirects you to the local authentication page.

Note

A user ID must be in an email address format, for example, john@mystore.com.

In the unified SAML login page, enter the SSO credentials for your IdP.

Note

You are redirected to the unified SAML login page each time you access Cisco vManage after configuring a new IdP name and domain.

Verify Integration with Multiple IdPs

Minimum supported release: Cisco vManage Release 20.10.1

From the Cisco vManage menu, choose Administration > Settings.
Click Identity Provider Settings and then click View.
Verify the configured IdP and the corresponding domain.

Troubleshooting Integration with Multiple IdPs

Minimum supported release: Cisco vManage Release 20.10.1

For troubleshooting integration issues with multiple IdPs, you can access the log files at:

/var/log/nms/vmanage-server.log is the log file for enabling and disabling IdP.
/var/log/nms/vmanage-sso.log is the SSO-specific log file.

Cisco SD-WAN Security Configuration Guide, Cisco IOS XE Release 17.x

Bias-Free Language

Book Title

Cisco SD-WAN Security Configuration Guide, Cisco IOS XE Release 17.x

Chapter Title

Configure Single Sign-On

Results

Chapter: Configure Single Sign-On

Configure Single Sign-On

Information About Single Sign-On

Benefits of Single Sign-On

Prerequisites for Single Sign-On

Configure Single Sign-On Using Okta

Enable an Identity Provider in Cisco vManage

Configure SSO on the Okta Website

Assign Users to the Application on the Okta Website

Configure SSO for Active Directory Federation Services (ADFS)

Import Metadata File into ADFS

Add ADFS Relying Party Trust

Before you begin

Add ADFS Relying Party Trust Manually

Configure SSO for PingID

Configure SSO on the PingID Administration Portal

Configure SSO for IDPs in Cisco vManage Cluster

Configure Single Sign-On Using Azure AD

Export Cisco vManage Metadata to Azure AD

Configure Single Sign-On Using Azure AD and Import Azure AD Metadata to Cisco vManage

Verify Single Sign-On Using Azure AD

Integrate with Multiple IdPs

Information About Integrating with Multiple IdPs

Benefits of Integrating with Multiple IdPs

Restrictions for Integrating with Multiple IdPs

Use Cases for Integrating with Multiple IdPs

Configure Multiple IdPs

Verify Integration with Multiple IdPs

Troubleshooting Integration with Multiple IdPs

Was this Document Helpful?

Contact Cisco