SAML IdP Configuration

Overview

Configure SAML Identity Providers for ISE Admin portal Single Sign-On.

Commands

netapi ise saml [COMMAND]
Command Description

list-idps

List configured SAML Identity Providers

create-from-metadata

Create IdP from metadata XML file

delete-idp

Delete a SAML Identity Provider

list-admin-groups

List ISE Admin Groups for mapping

import-keycloak

Import Keycloak as IdP automatically

List SAML IdPs

netapi ise saml list-idps

Create IdP from Metadata

# Download IdP metadata first
curl -o idp-metadata.xml https://idp.example.com/metadata

# Create IdP in ISE
netapi ise saml create-from-metadata idp-metadata.xml --name "Corporate IdP"

Delete IdP

netapi ise saml delete-idp "Old IdP Name"

List Admin Groups

# Show groups available for SAML group mapping
netapi ise saml list-admin-groups

Import Keycloak

# Automatically import Keycloak as SAML IdP
netapi ise saml import-keycloak \
  --url https://keycloak.example.com/realms/master \
  --name "Keycloak SSO"

This command:

  1. Downloads Keycloak SAML metadata

  2. Creates IdP in ISE

  3. Configures attribute mapping

Use Cases

Enable Admin SSO

#!/bin/bash
# Setup Keycloak SSO for ISE Admin

# 1. Import Keycloak IdP
netapi ise saml import-keycloak \
  --url https://keycloak.example.com/realms/master \
  --name "Keycloak"

# 2. List admin groups for mapping
echo "Available Admin Groups:"
netapi ise saml list-admin-groups

# 3. Map groups in ISE GUI:
#    Administration > Admin Access > Authentication > SAML IdP Groups

Migrate IdPs

#!/bin/bash
# List current IdPs
netapi ise saml list-idps

# Delete old
netapi ise saml delete-idp "Old IdP"

# Create new
netapi ise saml create-from-metadata new-idp-metadata.xml --name "New IdP"

Related Commands

  • cert - Certificate management

  • ad - Active Directory integration