ISE Admin Portal SSO

1. Overview

ISE supports SAML 2.0 for admin portal authentication, enabling Single Sign-On with Keycloak.

ISE SAML IdP configuration is GUI-only. There is no REST API endpoint for SAML IdP management.

2. Prerequisites

  • Keycloak SAML client configured (see SAML Client for ISE)

  • Keycloak IdP metadata XML downloaded

  • ISE admin access (local admin account for fallback)

  • DOMUS-ROOT-CA trusted by browser

3. Step 1: Import DOMUS-ROOT-CA into Browser

Firefox uses its own certificate store (ignores system trust store):

  1. Settings → Privacy & Security → View Certificates

  2. Authorities tab → Import

  3. Select /etc/ssl/certs/DOMUS-ROOT-CA.pem

  4. Check "Trust this CA to identify websites"

4. Step 2: Download Keycloak Metadata

curl -k https://keycloak-01.inside.domusdigitalis.dev:8443/realms/domusdigitalis/protocol/saml/descriptor \
  -o /tmp/keycloak-metadata.xml

5. Step 3: Configure SAML IdP in ISE

Navigate to: Administration → Identity Management → External Identity Sources → SAML Id Providers

  1. Click Add

  2. IdP Name: keycloak_01

  3. Select Import metadata from file

  4. Upload /tmp/keycloak-metadata.xml

  5. Click Import

6. Step 4: Export ISE SP Metadata (Critical)

ISE generates a unique Entity ID. This must match the Keycloak client ID.

  1. Click Export Service Provider Info

  2. Save the XML file

  3. Note the Entity ID:

entityID="http://CiscoISE/a486c6ef-6c77-4bc1-bf6d-4e479b3aeae8"

7. Step 5: Update Keycloak Client ID

In Keycloak Admin Console:

  1. Navigate to: Clients → (ISE client)

  2. Update Client ID to match ISE Entity ID exactly

  3. Update Valid redirect URIs:

https://ise-01.inside.domusdigitalis.dev:8443/*

The :8443 port is required. Without it, SAML redirect will fail.

8. Step 6: Configure Group Mappings

Navigate to ISE SAML IdP → Groups tab:

Name in Assertion (Keycloak) Name in ISE

ise-super-admin

Super Admin

ise-read-only

Read Only Admin

ise-helpdesk

Helpdesk Admin

ise-ers-admin

ERS Admin

ISE Admin Group names are case-sensitive. Use exact case: Super Admin, not super admin.

9. Step 7: Enable SAML for Admin Portal

  1. Navigate to: Administration → Admin Access → Authentication → Authentication Method

  2. Select Password Based or Client Certificate Based or SAML Based

  3. Select IdP: keycloak_01

  4. Click Save

10. Testing

  1. Open: ise-01.inside.domusdigitalis.dev/admin

  2. Select Log In With: keycloak_01

  3. Authenticate with Keycloak credentials

  4. Verify ISE admin access

11. Fallback Access

Always maintain local admin access for emergencies:

https://ise-01.inside.domusdigitalis.dev/admin/LoginAction.do?local=true

12. Monitoring

ssh admin@ise-01.inside.domusdigitalis.dev
show logging application ise-psc.log tail | include SAML

13. Related