Phase 1: Entra ID Configuration

Phase 1: Entra ID Configuration

Enterprise Application Registration

  • Azure Portal → Entra ID → Enterprise Applications → New Application

  • Create non-gallery application: "ASA VPN SAML" (or org naming convention)

  • Assign users/groups: SG-VPN-Users

  • Configure Single Sign-On → SAML

SAML SSO Configuration

Field Value

Identifier (Entity ID)

<asa-external-fqdn>/saml/sp/metadata/<tunnel-group-name>;

Reply URL (ACS)

<asa-external-fqdn>/CSCOE/saml/sp/acs?tgname=<tunnel-group-name>;

Sign-on URL

<asa-external-fqdn>;

Relay State

(leave blank)

Logout URL

<asa-external-fqdn>/CSCOE/saml/sp/logout
Replace <asa-external-fqdn> and <tunnel-group-name> with actual values from Phase 0 inventory.

Claims / Attribute Mapping

Claim Source Attribute Notes

NameID

user.userprincipalname

Format: Email — must match ISE identity

groups

user.groups (filtered to VPN SG)

For group-based authz in ISE/ASA DAP

displayname

user.displayname

Optional — for session logging

email

user.mail

Optional

Conditional Access Policy

  • Create CA policy scoped to the enterprise app

  • Conditions: All users in SG-VPN-Users

  • Grant: Require MFA + compliant device (or start permissive)

  • Session: Sign-in frequency appropriate for VPN

Certificate & Metadata Export

  • Download Federation Metadata XML from Entra

  • Download SAML Signing Certificate (Base64)

  • Note Login URL, Logout URL, Azure AD Identifier

  • Store metadata securely: data/d001/projects/asa-vpn-okta-to-entra/certs/

Certificates are sensitive. Encrypt with age before committing: encrypt-file <path>