Skip to main content

Cisco AnyConnect Integration

Patricia Mcphee
  • Updated

This guide provides information on how to set up Cisco ASA using Cisco Anyconnect VPN Client for direct SAML integration with Beyond Identity.

Pre-requisites

  • Cisco ASA running 9.8 code train or higher.
  • VPN Client running version 4.6+.
  • Cisco ASA network admin account.
  • Cisco ASA GUI access via ASDM and CLI access via SSH.
  • Beyond Identity Admin Console access.

User experience demo

Step 1: Configure SAML Integration on Beyond Identity Admin Console

  1. Log in to the Beyond Identity Admin console and go to Integrations > SAML > Add SAML connection.
  2. Enter Cisco ASA for the Name and click Save Changes.

    add-saml-connection.png

  3. Copy the IdP SSO URL and IdP Issuer, and then download the certificate file.

    copy-ids.png

Step 2: Configure Cisco ASA

  1. On Cisco ASA CLI, create a Trustpoint and import the Beyond Identity SAML certificate you downloaded. 
    config t
crypto ca trustpoint BeyondIdentity-SAML
  revocation-check none
  no id-usage
  enrollment terminal
  no ca-check
  exit
crypto ca authenticate BeyondIdentity-SAML
-----BEGIN CERTIFICATE-----
…
PEM Certificate Text from download goes here
…
-----END CERTIFICATE-----
quit
  2. Set up Beyond Identity as the SAML IdP on Cisco ASA. 
    webvpn
saml idp <IdP Issuer URL ending in metadata.xml>
url sign-in <IdP SSO URL ending in /SSO>
url sign-out https://www.beyondidentity.com
trustpoint idp BeyondIdentity-SAML
trustpoint sp <SP Trustpoint>
no force re-authentication
no signature
base-url https://my.asa.com
  3. Set up tunnel-group. 
    tunnel-group BeyondIdentity-AC-SAML type remote-access
tunnel-group BeyondIdentity-AC-SAML webvpn-attributes
authentication saml
group-alias BeyondIdentity enable
saml identity-provider <IdP Issuer URL ending in metadata.xml>
saml idp-trustpoint BeyondIdentity-SAML

Step 3: Finish the SAML Integration on Beyond Identity Admin Console

  1. In the Beyond Identity Admin Console, go to Integrations > SAML > Add SAML connection.
  2. Complete the following information and click Save Changes.
    • SP Single Sign On URL: https://asa.azure-hybrid.us/+CSCOE+/saml/sp/acs?tgname=BeyondIdentity-AC-SAML
    • SP Audience URI: https://asa.azure-hybrid.us/saml/sp/metadata/BeyondIdentity-AC-SAML
    • Name ID Format: emailAddress
    • Subject User Attribute: UserName

Related articles

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk