Configure Dynamic Group Policy Assignment with SAML on Secure Firewall for Secure Client

Available Languages

Download Options

  • PDF     (2.5 MB)
    View with Adobe Reader on a variety of devices
  • ePub     (2.7 MB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (2.0 MB)
    View on Kindle device or Kindle app on multiple devices
Updated:November 2, 2023
Document ID:221173

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction


    This document describes the process of dynamically assigning group policies using SAML authentication on the Cisco Secure Firewall.

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • Basic Remote Access VPN, SSL, and Certificate Knowledge
    • Basic SAML Knowledge
    • Experience with Firepower Management Center

    Components Used

    The information in this document is based on these software and hardware versions:

    • Cisco Secure Firewall v7.2.0
    • Cisco Secure Firewall Management Center (FMC) v7.2.0
    • Cisco Secure Client 5.0.04032

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Background Information

    In this document, Okta is used as the Identity Provider (IdP). However, it is essential to note that any IdP that allows for the customization of attributes sent in the SAML Assertion can be used.


    The SAML IdP can be configured in order to send assertions attributes in addition to the authentication assertion. The SAML Service Provider component in ASA/FTD interprets the SAML assertions received from IdP and makes policy selections based on them.

    Configure

    Network Diagram

    Lab TopologyLab Topology

    note-icon

    Note: This setup only works when a user is part of one and only one group, it does not work when a user is a part of multiple groups.

    Configurations

    Okta - SAML Configuration Part #1

    1. Navigate to Applications > Applications and click Browse App Catalog. Search forCisco in the catalog search bar and choose Cisco ASA VPN SAML, then click Add Integration.

    Okta Add ApplicationOkta Add Application

    Okta ASA SAML AppOkta ASA SAML App

    Okta Application Add ButtonOkta Application Add Button

    2. Fill in the Application Label in the General Settings section and click Done.

    Okta General SettingsOkta general settings

    3. In the Sign On, find the Metadata URL, copy it, and open it in a new tab. The Metadata XML file looks like as shown in this image:

    Okta Sign on PageOkta Sign on page

    Metadata XMLMetadata XML

    4. Download the SAML SIgning Certificate, from the same Sign On section. This is needed for configuring SSO in FMC.

    5. Next, configure the SSO server on FMC. The assumption is made that the SSL certificate is configured and enrolled for FTD (here the trustpoint name is RAVPN-SSL).

    FMC - SAML Configuration

    1. In FMC, navigate to Devices > Certificates and click Add.

    FMC Devices NavigationFMC devices nav

    2. Choose the appropriate device and click + , next to Cert Enrollment. Give a name for the Cert Enrollment. Under CA Information, choose the Enrollment Type to be Manual. Check the CA Only checkbox and in the CA Certificate section paste the contents of the certificate you received earlier from the Okta SAML page. Once done, click Save.

    FMC Cert EnrollmentFMC cert enrollment

    FMC Cert Enrollment Detailsfmc cert enrollment details

    note-icon

    Note: Check the option Skip Check for CA flag in basic constraints of the CA certificate, since the certificate provided by the IdP is usually self-signed.

    3. Click Add in order to enroll in the certificate.

    FMC Add Cert Enrollmentfmc add cert enrollment

    4. Navigate to Objects > Object Management > AAA Server > Single Sign-on Server and click Add Single Sign-on Server. Fill in the necessary information, from the Metadata XML (Entity ID and SSO URL), the base URL is the common name (CN) that you have for the FTD SSL Certificate. The IdP Certificate is OktaSSO which was enrolled earlier, and the Service Provider Certificate is the SSL certificate for FTD, which is RAVPN-SSL in this case. Leave everything else as default. Once you are done, click Save.

    FMC Object NavigationFMC object nav

    FMC SSO ConfigurationFMC SSO config

    5. This SSO server is used as our Authentication in the Remote Access Profile. Navigate to Devices > Remote Access > Edit and edit the Connection Profile of Concern. Under the AAA Section, use the SSO server created earlier as the Authentication Method. Once done, click Save. Remember to save the changes by clicking Save on the top right corner.

    FMC Devices RA NavigationFMC Devices RA nav

    FMC Connection Profile SettingsFMC Connection Profile settings

    6. Next, create the three Group Policies named, Admins, Finance, and Sales.

    7. The Group Policy DfltGrpPolicy has the Simultaneous Login Per User. value set to so that it is not used by any user.

    FMC DfltGrpPolicy SettingsFMC DfltGrpPolicy Settings

    8. Navigate to Advanced Section > Group Policies and click +. Click + again in order to create a new group policy.

    9. The image shows an example of the group Admins. Enter the name as Admins and this group has Welcome Admins! as their banner value. This group also has Split Tunneling configured to Tunnel networks specified below which has access to both Finance and Sales team servers. Leave the rest of the options as defaults. Once you are done, click Save.

    FMC RAVPN Adv GPFMC RAVPN Adv GP

    GP Add DialogGP Add dialog

    Admin GP DialogAdmin GP dialog

    Admin GP ACLAdmin GP ACL

    Admin GP ACL DialogAdmin GP ACL dialog

    9. Similarly, create the remaining two groups Finance and Sales. In this lab, they are configured with banner values Welcome Finance Team! and Welcome Sales Team! respectively. They are also configured with split tunneling like the Admins group with them accessing only their servers, that is, the Finance group can access only FinanceServer and the Sales group can only access SalesServer.

    10. Once created, add all of them and click OK.

    Add All GPAdd All GP

    11. Ensure to click Save on the top right corner and deploy the changes.

    12. The required configurations on FTD/FMC are completed. The remaining SAML configuration on Okta is configured in the next section.

    Okta - SAML Configuration Part #2

    1. Navigate to Applications > Applications and click  Application > Sign on Section > Edit.

    2. The custom group attribute configured in Okta - SAML Config Part #1 which is cisco_group_policy, must be sent in the SAML assertion. Click the dropdown arrow to the left of Attributes (Optional) and in the Group Attributes Statements (Optional), use the group as Name and cisco_group_policy as Filter which matches the regex ^((?!Everyone).*) as shown.

    Okta Sign on SettingsOkta Sign on Settings

    Okta App AttributeOkta App attribute

    note-icon

    Note: The Regex filter ^((?!Everyone).*), gives the groups assigned to the user (which is only one per user in this lab) except Everyone, and send it as a value of cisco_group_policy in the SAML assertion.

    4. Click Preview SAML in order to see what the assertion looks like.

    5. Under Advanced Settings fill the values in the field, in order to complete the SAML configuration on Okta. Once done, click Save.

    Entity ID: https://<VPN  Base URL>/saml/sp/metadata/<Connection Profile Name>

    Assertion Consumer URL: https://<VPN Base URL>/+CSCOE+/saml/sp/acs?tgname=<Connection Profile Name>

    Single Logout Service URL: https://<VPN  Base URL>/+CSCOE+/saml/sp/logout

    Okta SSO SettingOkta SSO Setting

    Okta - Users and Groups

    1. Start by configuring the groups, create three groups based on the Network Diagram, Admins, Finance, and Sales.

    2. Log in to Okta Admin Dashboard. Navigate to Directory > Groups.

    Okta Directory Group NavigationOkta directory group nav

    3. Click Add group.

    Okta Add GroupOkta add Group

    4. Fill in the group name and an optional description. Configuration is shown for the Admins group. After you are done, click Save.

    Okta Admin GroupOkta Admin Group

    5. Repeat the same steps for adding the Finance and Sales groups.

    6. Next, navigate to Directory > Profile Editor > Groups as shown. Click Okta group.

    Okta Group AttributeOkta group attribute

    7. Click Add Attribute, and fill in the values as shown.

    Okta Add AttributeOkta add attribute

    Okta Group Attribute DialogOkta group attribute dialog

    note-icon

    Note: The value of the field Variable name must be strictly cisco_group_policy.

    8. Once done, click Save.

    9. Navigate to Directory > Groups, click any of the three groups you created earlier. The image shows an example for the Salesgroup.

    Okta Group ListOkta Group list

    10. Under the Profile section, the attribute created in Step 7. can be seen. Click Edit and fill in the value with the name of the Group Policy you want that group to be assigned. Configure the value Sales in order to keep it simple. Once done, click Save.

    Okta Sales GroupOkta Sales Group

    11. Repeat the same steps for the groups Admins and Finance. Configure the value for cisco_group_policy to Admins and Finance respectively.

    note-icon

    Note: The value of cisco_group_policy must be exactly the same as the group policy name configured earlier.

    12. Next, create some users and assign them to the groups created in the previous steps. Navigate to Directory > People  and click Add Person.

    13. Create three users to test the lab, FinanceUser, SalesUser, and AdminUser that belong to Finance, Sales, and Admins groups respectively. The image shows an example for FinanceUser groups.

    Okta Add PersonOkta add person

    Okta Finance UserOkta finance user

    14. Repeat the same steps for the remaining two users; AdminUser and SalesUser.

    15. The final step is to add the groups created to the SAML application. Navigate to Applications > Applications > Edit > Assignments. Click Assign > Assign to Groups. Assign to the three groups created earlier and click Done.

    Okta Assign User to GroupOkta assign user to group

    Okta Group AssignOkta group assign

    Verify

    Finance User

    Banner

    Finance Team BannerFinance team banner

    Secured Routes

    Secured Routes for FinanceSecured routes for Finance

    Server Reachability

    ICMP to DestinationICMP to destination

    Session on FTD

    firepower# sh vpn-sessiondb anyconnect filter name FinanceUser@xxxxxxx
    Username : FinanceUser@xxxxxxx     Index : 14
    Assigned IP : 10.72.1.1                 Public IP : 10.106.68.246

    --------- OUTPUT OMMITTED ---------

    Group Policy : Finance                  Tunnel Group : RAVPN
    Duration : 0h:03m:26s


    Sales User

    Banner

    Sales Team BannerSales Team banner

    Secured Routes

    Sales Team Secured RoutesSales team secured routes

    Server Reachability

    ICMP to DestinationICMP to destination

    Session on FTD

    firepower# sh vpn-sessiondb anyconnect filter name SalesUser@xxxxxxx
    Username : SalesUser@xxxxxxx Index : 15
    Assigned IP : 10.72.1.1           Public IP : 10.106.68.246

    --------- OUTPUT OMMITTED ---------

    Group Policy : Sales              Tunnel Group : RAVPN
    Duration : 0h:02m:57s

    Admin User

    Banner

    Admin Team BannerAdmin team banner

    Secured Routes

    Admin Secured RoutesAdmin Secured routes

    Server Reachability

    ICMP to DestinationICMP to destination

    Session on FTD

    firepower# sh vpn-sessiondb anyconnect filter name AdminUser@xxxxxxx
    Username : AdminUser@xxxxxxx   Index : 16
    Assigned IP : 10.72.1.1             Public IP : 10.106.68.246

    --------- OUTPUT OMMITTED ---------

    Group Policy : Admins               Tunnel Group : RAVPN
    Duration : 0h:03m:05s

    Troubleshoot

    1. Ensure the time is synchronized on FTD and Okta. Check the same using show clock on the FTD CLI.

    firepower# sh clock
    05:14:52.494 UTC Mon Sep 4 2023

    2. Apply SAML debugs in order to confirm if the SAML assertion is a Success.

    firepower# debug webvpn saml 255
    ------------ OUTPUT OMMITTED ------------

    Sep 04 05:20:42
    [SAML] consume_assertion:
    http://www[.]okta[.]com/XXXXXXXXXXXXXX FinanceUser@xxxxxxx
    [saml] webvpn_login_primary_username: SAML assertion validation succeeded

    ------------ OUTPUT OMMITTED ------------

    3. Refer to this document in order to troubleshoot common issues found on the client side.

    Revision History

    Revision Publish Date Comments
    1.0
    06-Nov-2023
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Pavan Gundu
      Cisco TAC Engineer
    • Ankit Kumar
      Cisco TAC Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products