Introduction
This guide provides information on how to:
- Set up Cisco ASA using Cisco Anyconnect VPN Client for direct SAML integration with Beyond Identity.
Pre-requisites:
- Cisco ASA running 9.8 code train or higher.
- VPN Client running version 4.6+.
- Cisco ASA network admin account.
- Cisco ASA GUI access via ASDM and CLI access via SSH.
- Beyond Identity Admin Console access.
User Experience Demo:
https://drive.google.com/file/d/1ozfRRtdvK3rbiDQOkDfLtJ5hxsk1sqSl/view?usp=sharing
Step 1: Configure SAML Integration on Beyond Identity Admin Console:
- Login to the BI Admin console and navigate to Integrations->SAML🡪Add SAML connection.
- Fill in the below details as shown and hit SAVE CHANGES
- Note down the IdP SSO URL, IdP Issuer URL and download the Certificate file.
Step 2: Configure Cisco ASA:
- On Cisco ASA CLI create a Trustpoint and import the Beyond Identity SAML cert from previous Step.
config t
crypto ca trustpoint BeyondIdentity-SAML
revocation-check none
no id-usage
enrollment terminal
no ca-check
exit
crypto ca authenticate BeyondIdentity-SAML
-----BEGIN CERTIFICATE-----
…
PEM Certificate Text from download goes here
…
-----END CERTIFICATE-----
quit
- Use the following commands to setup Beyond Identity as the SAML IdP on Cisco ASA
webvpn
saml idp <IdP Issuer URL ending in metadata.xml>
url sign-in <IdP SSO URL ending in /SSO>
url sign-out https://www.beyondidentity.com
trustpoint idp BeyondIdentity-SAML
trustpoint sp <SP Trustpoint>
no force re-authentication
no signature
base-url https://my.asa.com
- Use the following commands to setup tunnel-group
tunnel-group BeyondIdentity-AC-SAML type remote-access
tunnel-group BeyondIdentity-AC-SAML webvpn-attributes
authentication saml
group-alias BeyondIdentity enable
saml identity-provider <IdP Issuer URL ending in metadata.xml>
saml idp-trustpoint BeyondIdentity-SAML
Step 3: Complete SAML Integration on Beyond Identity Admin Console:
- Login to the BI Admin console and navigate to Integrations->SAML🡪Add SAML connection.
- Fill in the below details as shown in the example below and hit SAVE CHANGES
Name: Cisco ASA
SP Single Sign On URL: https://asa.azure-hybrid.us/+CSCOE+/saml/sp/acs?tgname=BeyondIdentity-AC-SAML
SP Audience URI: https://asa.azure-hybrid.us/saml/sp/metadata/BeyondIdentity-AC-SAML
Name ID Format:emailAddress
Subject User Attribute: UserName
Comments
0 comments
Please sign in to leave a comment.