SAML Client for ISE

1. Overview

ISE acts as a SAML Service Provider (SP). We configure Keycloak as the Identity Provider (IdP) with a SAML client representing ISE.

ISE uses a unique Entity ID format: CiscoISE/<UUID>;, NOT the ISE FQDN. You must export ISE’s SP metadata to get the correct Entity ID.

2. Prerequisites

  • Keycloak realm created (domusdigitalis)

  • ISE admin access to export SP metadata

  • Network connectivity between ISE and Keycloak

3. Step 1: Export ISE SP Metadata

ISE generates its own Entity ID. You must export this before creating the Keycloak client.

  1. Navigate to ISE: Administration → Identity Management → External Identity Sources → SAML Id Providers

  2. Click Add

  3. Before configuring, click Export Service Provider Info

  4. Save the XML file

Example ISE Entity ID
entityID="http://CiscoISE/a486c6ef-6c77-4bc1-bf6d-4e479b3aeae8"

The UUID is unique to each ISE deployment. Each ISE node may have a different Entity ID.

4. Step 2: Create SAML Client in Keycloak

4.1. Via Admin Console

  1. Navigate to Clients → Create client

  2. Configure:

Setting Value

Client type

SAML

Client ID

CiscoISE/<your-uuid>; (from ISE SP metadata)

Name

Cisco ISE Admin Portal

5. Step 3: Configure Client Settings

Navigate to Settings tab:

Setting Value Notes

Valid redirect URIs

ise-01.inside.domusdigitalis.dev:8443/*

MUST include port 8443

Master SAML Processing URL

ise-01.inside.domusdigitalis.dev:8443/portal/SSOLoginResponse.action

ISE’s Assertion Consumer Service URL

Force POST Binding

ON

Include AuthnStatement

ON

Required for ISE

Sign assertions

ON

The redirect URI MUST include port :8443. Without it, you will get "Invalid redirect uri" errors.

6. Step 4: Configure SAML Capabilities

Navigate to Keys tab:

Setting Value

Client signature required

OFF

Encrypt assertions

OFF

7. Step 5: Configure Protocol Mappers

Navigate to Client scopes → click dedicated scope → MappersConfigure a new mapper

7.1. Groups Mapper (Required)

Setting Value

Mapper type

Group list

Name

groups

Group attribute name

groups

Single Group Attribute

ON

Full group path

OFF

Full group path must be OFF. ISE expects just the group name (e.g., ise-super-admin), not the full path (/ise-super-admin).

7.2. Email Mapper

Setting Value

Mapper type

User Property

Name

email

Property

email

SAML Attribute Name

email

8. Step 6: Export IdP Metadata

Download Keycloak’s SAML metadata for import into ISE:

curl -k https://keycloak-01.inside.domusdigitalis.dev:8443/realms/domusdigitalis/protocol/saml/descriptor \
  -o /tmp/keycloak-metadata.xml

9. Common Configuration Errors

Error Cause

"Invalid Request"

Client ID doesn’t match ISE’s Entity ID

"Invalid redirect uri"

Redirect URI missing port 8443

User authenticated but no admin access

Groups mapper not configured or Full group path is ON

10. Related