Cisco SAML

Introduction

This document explains how to establish Cisco ASA SSL/IPSEC VPN federation with the PureAUTH Identity Platform and make Cisco AnyConnect authentication passwordless.

Prerequisites

1. Cisco ASDM connected to the ASA firewall.
2. A valid CA signed device certificate for the firewall / Self signed device certificate installed in client machines.
3. A SSH connection to the Firewall.

Creating a new AnyConnect Profile

• Open ASDM and connect to the ASA firewall using your admin account.
• Go to the configuration tab.

• Go to the Remote Access VPN Page.
• Create a new AnyConnect Connection profile using the AnyConnect VPN wizard.
• Select AAA as the authentication, skip the SAML authentication configuration.
• Complete the Profile creation and apply the changes.
• Note the Profile name, we will need it Later.

Adding Cisco ASA application on PureAUTH

1. Visit live.pureauth.io
2. Enter your Organization ID or Organization Email
3. You will receive an email on the organization’s email with a Login link.
4. Click on the Login link, you will be logged in into the PureAUTH portal.
5. Click on the Applications tab.
6. And then click on the Add application button.
7. You will see the list of applications, click on Create Custom application.

Application Form

1. Enter your application name
2. Select Primary ( Corporate Email ) in Dataset for Email field
3. In the “SAML Response Endpoint (ACS URL)” text box, enter the URL using the pattern:

https://<your cisco server fqdn>/+CSCOE+/saml/sp/acs?tgname=<Tunnel_group_name/Connection_profile_name>

In the “Audience” text box, enter the URL using Pattern:

https://<your cisco server fqdn>/saml/sp/metadata/<Tunnel_group_name/Connection_profile_name>

• To check and verify the metadata, you can go to the above (Audience) URL in a browser.
• In the “SAML Logout Response Endpoint” field, enter the URL using the following pattern.

https://<your cisco server fqdn>/+CSCOE+/saml/sp/logout

• Toggle the “Sign Assertion” checkbox to “ON”.
• Save the changes.

Note: PureAUTH SAML settings will be required in the future.

Adding SAML Application Certificate in ASA

Connect to the ASA firewall using SSH, Run the following commands:

enable

config t

crypto ca trustpoint pureauth-saml

revocation-check none

no id-usage

enrollment terminal

no ca-check

crypto ca authenticate pureauth-saml

 —–BEGIN CERTIFICATE—–

 …

 PEM Certificate Text from PureAUTH portal

 …

 —–END CERTIFICATE—–

quit

wr

Configuring SAML Authentication Server

1. Open your ASDM and connect to Cisco ASA firewall.
2. Go to the configuration tab.
3. Go to the Remote Access VPN page.
4. In AnyConnect Connection Profiles, select the newly created profile and click edit.
5. Click “Manage” under SAML Identity Provider.
6. Click on Add to create a new IDP configuration.
7. Set IDP entity ID as Issuer URL provided by PureAUTH.
8. Set Sign In URL as SAML Login URL Provided by PureAUTH. Remove the HTTPS:// From the URL. Select https protocol from the dropdown.
9. Set Sign In URL as SAML Logout URL Provided by PureAUTH. Remove the HTTPS:// From the URL. Select https protocol from the dropdown.
10. Set the Base URL as your ASA FQDN. Select the correct protocol from the dropdown.
11. Select the pureauth-saml Certificate from the dropdown that we had created using CLI in Identity Provider Certificate Field.
12. Select a device certificate in the Service Provider Certificate Field.
13. Set Request signature to res-sha256.
14. Set a request timeout in seconds (Optional) (1000-4000) This can help if a CSRF error presents.
15. Set clock Skew (Optional). This can help if a CSRF error presents.
16. Click OK.
17. In the SAML Server field, select the newly created server from the dropdown.
18. On the Left pane, go to Advanced->Group Alias/Group URL.
19. Add a Group URL. You can use this URL in AnyConnect to use Passwordless Authentication.
20. Click OK and Apply the settings.
21. You should Now be able to use passwordless Authentication.