PDF(2.5 MB) View with Adobe Reader on a variety of devices
ePub(2.7 MB) View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi (Kindle)(2.0 MB) View on Kindle device or Kindle app on multiple devices
Updated:November 2, 2023
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes the process of dynamically assigning group policies using SAML authentication on the Cisco Secure Firewall.
Cisco recommends that you have knowledge of these topics:
Basic Remote Access VPN, SSL, and Certificate Knowledge
Basic SAML Knowledge
Experience with Firepower Management Center
The information in this document is based on these software and hardware versions:
Cisco Secure Firewall v7.2.0
Cisco Secure Firewall Management Center (FMC) v7.2.0
Cisco Secure Client 5.0.04032
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
In this document, Okta is used as the Identity Provider (IdP). However, it is essential to note that any IdP that allows for the customization of attributes sent in the SAML Assertion can be used.
The SAML IdP can be configured in order to send assertions attributes in addition to the authentication assertion. The SAML Service Provider component in ASA/FTD interprets the SAML assertions received from IdP and makes policy selections based on them.
Note: This setup only works when a user is part of one and only one group, it does not work when a user is a part of multiple groups.
Okta - SAML Configuration Part #1
1. Navigate to Applications > Applications and click Browse App Catalog. Search forCisco in the catalog search bar and choose Cisco ASA VPN SAML, then click Add Integration.
Okta Add Application
Okta ASA SAML App
Okta Application Add Button
2. Fill in the Application Label in the General Settings section and click Done.
Okta general settings
3. In the Sign On, find the Metadata URL, copy it, and open it in a new tab. The Metadata XML file looks like as shown in this image:
Okta Sign on page
4. Download the SAML SIgning Certificate, from the same Sign On section. This is needed for configuring SSO in FMC.
5. Next, configure the SSO server on FMC. The assumption is made that the SSL certificate is configured and enrolled for FTD (here the trustpoint name is RAVPN-SSL).
FMC - SAML Configuration
1. In FMC, navigate to Devices > Certificates and click Add.
FMC devices nav
2. Choose the appropriate device and click + , next to Cert Enrollment. Give a name for the Cert Enrollment. Under CA Information, choose the Enrollment Type to be Manual. Check the CA Only checkbox and in the CA Certificate section paste the contents of the certificate you received earlier from the Okta SAML page. Once done, click Save.
FMC cert enrollment
fmc cert enrollment details
Note: Check the option Skip Check for CA flag in basic constraints of the CA certificate, since the certificate provided by the IdP is usually self-signed.
3. Click Add in order to enroll in the certificate.
fmc add cert enrollment
4. Navigate toObjects > Object Management > AAA Server > Single Sign-on Server and click Add Single Sign-on Server. Fill in the necessary information, from the Metadata XML (Entity ID and SSO URL), the base URL is the common name (CN) that you have for the FTD SSL Certificate. The IdP Certificate isOktaSSO which was enrolled earlier, and the Service Provider Certificate is the SSL certificate for FTD, which is RAVPN-SSL in this case. Leave everything else as default. Once you are done, click Save.
FMC object nav
FMC SSO config
5. This SSO server is used as our Authentication in the Remote Access Profile. Navigate to Devices > Remote Access > Edit and edit the Connection Profile of Concern. Under the AAA Section, use the SSO server created earlier as the Authentication Method. Once done, click Save. Remember to save the changes by clicking Save on the top right corner.
FMC Devices RA nav
FMC Connection Profile settings
6. Next, create the three Group Policies named, Admins, Finance, and Sales.
7. The Group Policy DfltGrpPolicy has the Simultaneous Login Per User. value set to 0 so that it is not used by any user.
FMC DfltGrpPolicy Settings
8. Navigate to Advanced Section > Group Policies and click +. Click + again in order to create a new group policy.
9. The image shows an example of the group Admins. Enter the name as Admins and this group has Welcome Admins! as their banner value. This group also has Split Tunneling configured to Tunnel networks specified below which has access to both Finance and Sales team servers. Leave the rest of the options as defaults. Once you are done, click Save.
FMC RAVPN Adv GP
GP Add dialog
Admin GP dialog
Admin GP ACL
Admin GP ACL dialog
9. Similarly, create the remaining two groups Finance and Sales. In this lab, they are configured with banner values Welcome Finance Team! and Welcome Sales Team! respectively. They are also configured with split tunneling like the Admins group with them accessing only their servers, that is, the Finance group can access only FinanceServer and the Sales group can only access SalesServer.
10. Once created, add all of them and click OK.
Add All GP
11. Ensure to click Save on the top right corner and deploy the changes.
12. The required configurations on FTD/FMC are completed. The remaining SAML configuration on Okta is configured in the next section.
Okta - SAML Configuration Part #2
1. Navigate to Applications > Applications and click Application > Sign on Section > Edit.
2. The custom group attribute configured in Okta - SAML Config Part #1 which is cisco_group_policy, must be sent in the SAML assertion. Click the dropdown arrow to the left of Attributes (Optional) and in the Group Attributes Statements (Optional), use the group as Name and cisco_group_policy as Filter which matches the regex ^((?!Everyone).*) as shown.
Okta Sign on Settings
Okta App attribute
Note: The Regex filter ^((?!Everyone).*), gives the groups assigned to the user (which is only one per user in this lab) except Everyone, and send it as a value of cisco_group_policy in the SAML assertion.
4. Click Preview SAML in order to see what the assertion looks like.
5. Under Advanced Settings fill the values in the field, in order to complete the SAML configuration on Okta. Once done, click Save.
Entity ID: https://<VPN Base URL>/saml/sp/metadata/<Connection Profile Name>
Assertion Consumer URL: https://<VPN Base URL>/+CSCOE+/saml/sp/acs?tgname=<Connection Profile Name>
Single Logout Service URL: https://<VPN Base URL>/+CSCOE+/saml/sp/logout
Okta SSO Setting
Okta - Users and Groups
1. Start by configuring the groups, create three groups based on the Network Diagram, Admins, Finance, and Sales.
2. Log in to Okta Admin Dashboard. Navigate to Directory > Groups.
Okta directory group nav
3. Click Add group.
Okta add Group
4. Fill in the group name and an optional description. Configuration is shown for the Admins group. After you are done, click Save.
Okta Admin Group
5. Repeat the same steps for adding the Finance and Sales groups.
6. Next, navigate to Directory > Profile Editor > Groups as shown. Click Okta group.
Okta group attribute
7. Click Add Attribute, and fill in the values as shown.
Okta add attribute
Okta group attribute dialog
Note: The value of the field Variable name must be strictly cisco_group_policy.
8. Once done, click Save.
9. Navigate to Directory > Groups, click any of the three groups you created earlier. The image shows an example for the Salesgroup.
Okta Group list
10. Under the Profile section, the attribute created in Step 7. can be seen. Click Edit and fill in the value with the name of the Group Policy you want that group to be assigned. Configure the value Sales in order to keep it simple. Once done, click Save.
Okta Sales Group
11. Repeat the same steps for the groups Admins and Finance. Configure the value for cisco_group_policy to Admins and Finance respectively.
Note: The value of cisco_group_policy must be exactly the same as the group policy name configured earlier.
12. Next, create some users and assign them to the groups created in the previous steps. Navigate to Directory > Peopleand click Add Person.
13. Create three users to test the lab, FinanceUser, SalesUser, and AdminUser that belong to Finance, Sales, and Admins groups respectively. The image shows an example for FinanceUser groups.
Okta add person
Okta finance user
14. Repeat the same steps for the remaining two users; AdminUser and SalesUser.
15. The final step is to add the groups created to the SAML application. Navigate to Applications > Applications > Edit > Assignments. Click Assign > Assign to Groups. Assign to the three groups created earlier and click Done.