INC-2026-02-14-001: Investigation

Root Cause

When restoring an ISE backup to a different hostname:

  1. ISE SAML Service Provider (SP) configuration remains intact

  2. ISE Entity ID is per-deployment (UUID-based), not hostname-based

  3. Keycloak SAML client had redirect URIs hardcoded to ise-02

  4. SAML assertion destination URL mismatched new hostname

Entity ID Structure

ISE generates a unique Entity ID per deployment:

http://CiscoISE/{deployment-uuid}

This Entity ID survived the backup/restore because it’s stored in the ISE database.