This it because the Connection Profile name is going to be used in the SAML-URL that the IdP will make use of. The Connection Profile (Tunnel Group) for your VPN that is going to use SAML as authentication method cannot contain any spaces. The IdP will inform the ASA of the username using the SAML-attribute NameID. SAML-authentication differs quite a bit from the usual RADIUS or LDAP-authentication you are used to: the ASA doesn’t actually know the name of the user until the authentication is complete (either sucessful or failed) since the authentication takes place on the IdP. Your IdP must also have a trusted certificate installed, preferably from a third-party. Your ASA must have a trusted certificate installed, preferably from a third-party. I’m just gonna get this out right away, there are some technical requirements that need to be met to use SAML-authentication for your VPN-connections: The IdP could be either on your internal network, your DMZ or on the internet if you are using a cloud service. General Setupīelow you see a simple diagram of the connections and communication that takes place in a SAML VPN-solution. The main reason I felt the need to make this article is that Cisco’s own documentation regarding SAML is pretty barebone and it does not cover all the steps needed in a good enough manner, in my opinion. This article is more about putting together a collection of good things to know that I’ve picked up from implementing SAML-authentication myself and from reading about other people’s experience on the Cisco Support forum. We will also not cover the configuration of the IdP, mainly because 1) you, the network administrator, will probably not be the one tasked to do that configuration and 2) there are way to many different IdP-services and I’ve barely seen any of them.
#Cisco anyconnect 4.6 vpn multiple profiles how to#
This is not going to be a complete guide on how to setup SAML-authentication for VPN on the ASA, we will only cover the SAML-configuration on the ASA and not the configuration of basc VPN-settings like Group Policies etc.
In SAML-terms the ASA will be acting as a Service Provider (SP). Since the VPN login will look the same as for other applications used by the users, they will be very familiar with the interface. It is very common for companies and organizations to design their own login-page using their brand colors and logotypes to make users feel at home. I am not going to go into detail how SAML-authentication works but the main thing about the SAML-authentication flow is that when you initiate a VPN-session in An圜onnect (by typing in the URL/IP to your ASA and clicking “Connect”) instead of getting the normal An圜onnect login-prompt you will be redirected to a so called Identity Provider (IdP) which will present you with a login website that opens up inside An圜onnect (at least if you are using An圜onnect version 4.6 or newer). Today, there are many different products that use SAML-authentication from well-known companies like Microsoft, Okta, Ping Identity and even Cisco (through their Duo service).Īs of this writing, successful SAML-authentications taking place for VPN does not “carry over” for use with other services because of how An圜onnect works… so keep that in mind for your own implementation. The general idea of SAML is that once you have gone through a succesful authentication, you are handed a sort of cookie or “ticket” inside your web browser that will allow you to automatically be signed into the next service you want to use that also uses the same SAML-authentication. SAML has grown big in the last few years to provide authentication and single sign-on (SSO) experiences for applications like email, websites, ticket services and much more. However, if your VPN-solution consists of an Cisco ASA-firewall and the An圜onnect VPN software, there is a new option/protocol available to handle authentication: SAML, which stands for Security Assertion Markup Language. To authenticate end-users that connect to the VPN, it is very common to utilize an external database of users and to communicate with this external database you usually have to use the LDAP or RADIUS-protocol to talk either directly to an LDAP-catalog or to a RADIUS-server (like Cisco’s Identity Services Engine, ISE, for example). Most networking administrators have probably spent at least some time setting up a remote-access VPN for their company or for a customer.
0 kommentar(er)
