Phase 2: ISE 3.2 SAML Configuration
Phase 2: ISE 3.2 SAML Configuration
Option A: ISE as SAML IdP Proxy
Only if ISE 3.2 supports SAML IdP Providers (verified in Phase 0).
Add Entra as External SAML IdP
-
ISE Admin → Administration → Identity Management → External Identity Sources → SAML Id Providers
-
Add Provider → Import Entra Federation Metadata XML
-
Configure:
| Field | Value |
|---|---|
Name |
|
IdP Entity ID |
From Entra metadata (Azure AD Identifier) |
SSO URL |
From Entra metadata (Login URL) |
SLO URL |
From Entra metadata (Logout URL) |
Signing Certificate |
Entra SAML signing cert (imported from Phase 1) |
ISE Identity Source Sequence
-
Create/update Identity Source Sequence to include SAML provider
-
Map SAML assertions to ISE identity attributes
-
Configure group mapping: Entra groups → ISE identity groups
ISE Authorization Policy
-
Create authorization rule for VPN SAML sessions
-
Match condition: Identity Source =
Entra-ID-VPN -
Result: Authorization profile with appropriate DACL/SGT for VPN users
Option B: ISE as RADIUS Post-Auth (if SAML proxy unavailable)
ASA handles SAML directly with Entra. ISE provides posture and authorization via RADIUS.
ISE RADIUS Policy for SAML-Authenticated Sessions
-
ASA sends RADIUS accounting/authorization after SAML auth completes
-
ISE policy matches on:
-
NAS-IP-Address= ASA -
Tunnel-Group-NameorCisco-AV-Pairattributes from ASA
-
-
Authorization profile: DACL, SGT, or posture redirect as needed
ISE Posture (Optional)
-
If posture required: ISE redirects AnyConnect for posture check post-SAML auth
-
Posture policy: OS patches, AV status, disk encryption
-
CoA after posture: elevate from limited to full VPN DACL
Certificate Trust
-
Import Entra SAML signing cert into ISE trusted certificate store
-
Export ISE SAML signing cert for ASA trust (if Option A)
-
Verify cert chain: Entra → ISE → ASA (no gaps)
Administration > System > Certificates > Trusted Certificates > Import