SAML Authentication

Single Sign-On (SSO) using SAML 2.0

Cisco Email Security appliance now supports SAML 2.0 SSO so that the administrative users can log in to the web interface of the appliance using the same credentials that are used to access other SAML 2.0 SSO enabled services within their organization. For instance, if you enable Duo, Microsoft AD FS or Azure as your SAML Identity Provider (IdP), then you can configure your appliance as a Service Provider (SP) to support SAML 2.0 SSO. Users can sign in once and have access to all SAML 2.0 SSO enabled services.

  • SAML is an XML-based open-standard data format that enables administrators to access a defined set of Cisco collaboration applications seamlessly after signing into one of those applications.
  • SAML describes the exchange of security-related information between trusted business partners.
  • It is an authentication protocol used by service providers (for example. Cisco Email Security appliance ) to authenticate a user.
  • SAML enables the exchange of security authentication information between an Identity Provider (IdP) and a Service provider.
  • To know more, http://saml.xml.org/saml-specifications

Benefits:

  • Seamless login to Multiple Security appliance by entering the credentials only once.
  • It reduces password fatigue by removing the need for entering a different user name and password combinations for a different Security appliance.
  • It improves productivity because you spend less time re-entering credentials for the same identity.
  • With this Mechanism, we offload the Authentication work to Identity Provider (IdP) and Security appliance products only take care of Authorization Easy to Identify the changes made by an Administrator as the audit logs will indicate which AD user logged in which was not the case when using a Common Credentials.

SSO SAML IdPs:

  • Duo Access Gateway (DAG) adds two-factor authentication, complete with popular cloud services using SAML 2.0 federation.
  • Active Directory Federation Services (ADFS) is a Single Sign-On (SSO) solution created by Microsoft.
  • Azure Active Directory (AzureAD) uses the SAML 2.0 protocol to enable applications to provide a single sign-on experience to their users.
  • Okta supports authentication with an external SAML Identity Provider (IdP).

📘

Looking for G Suite SAML setup example?

Configuring G Suite (Gmail) for SAML Log-in

Example: Using Azure for SAML

[Azure] Create an Enterprise Application

  1. Log-in to your Azure Admin Portal
  2. Navigate to Azure Active Directory > Enterprise applications
  3. Click + New application
  1. Name your application. The recommendation is to name this your ESA hostname, or similar:
  1. Click Add at the bottom of the pane to complete

Configure Single Sign-On w/ SAML

  1. Click Single sign-on
  2. Click on SAML
  1. Click on Download for Federation Metadata XML

Note the filename and download location. You will use this XML file in the next section.

[ESA] Configure Service Provider (SP) settings on ESA

📘

Note

You will need to have an SP certificate and private key created for this. Using openssl from your PC/host, please run the following to create a self-signed certificate:
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt

  1. Log-in to your ESA UI
  2. Navigate to System Administration > SAML
  1. Click on Add Service Provider...
  2. Create a Profile Name, such as "ESA_SP"
  3. Create an Entity ID
  4. For CES, change the Assertion Customer URL to the proxy URL that you use to externally connect to your ESA
  5. Choose the SP certificate and private key that you created
  6. Enter in your Organization Details and Technical Contact
  1. Submit and commit your configuration changes
  2. Click Download Metadata to retrieve your SP metadata file (XML)

Next, we will create the Identity Provider (IDP) settings...

  1. Click Add Identity Provider...
  2. Create a Profile Name, such as "SAML_IDP"
  3. Select Import IDP Metadata
  4. Click Choose File and select the Federation Metadata XML you created in Azure
  1. Submit and commit your configuration changes

At this time you should see similar to the following on-screen:

[Azure] Configure Identity Provider (IDP) settings on ESA

  1. Return to your Azure Admin Portal and your application screen
  2. Click Upload metadata file to upload the SP metadata file (XML) you just created on your ESA
  1. Select the SP metadata file (XML) filename
  2. Click Add
  3. Validate that the Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL) correctly matches the proxy URL that you use to externally connect to your ESA
  1. Click Save
  2. Click [X] to close the Basic SAML Configuration pane

[Azure] User Attributes & Claims

  1. Click the pencil to edit User Attributes and Claims
  2. Click Add a group claim
  3. Select All groups
  4. Click Save at the bottom of the pane
  1. Click [X] to close out the User Attributes & Claims editing pane
  2. Ignore the pop-up for "Validate single sign-on..." by selecting No, I'll validate later

[Azure] Configure Users or Groups for Single Sign-on Access

  1. Click on Users and groups
  2. Click on + Add user
  1. Step through the Add Assignment and Users and Groups, adding in individuals or groups as needed
  2. Click Assign at the bottom of the pane to complete
  3. Finally, find the Object ID for your AD group; navigate Azure Active Directory > Groups and click on the Group name to see its attributes. Note the Object ID for use in the next section.

[ESA] Configure External Authentication and Attributes on ESA

  1. Return to your ESA UI
  2. Navigate to System Administration > Users
  3. Click Enable... for Customer Settings
  1. Change the dropdown for Authentication Type to SAML
  2. Set the Attribute Name for Matching the Group Map
  3. For Group Mapping, paste in your Object ID
  1. Submit and commit your configuration changes

Alerts

The following is an example of Admin alert notifications once SAML is configured:

Subject: Info <SAML> esa4.hc3033-47.iphmx.com: An error occured during SSO authentication. Details: User: r...

The Info message is:

An error occured during SSO authentication. Details: User: [email protected] Reauthorize failed on appliance,                     While fetch user privileges from group mapping.

Version: 13.0.0-252
Serial Number: 420D4F36AAEBC0093B4F-B9E72189A021
Timestamp: 06 Sep 2019 00:17:50 +0500```

 

Did this page help you?