We will also not cover the configuration of the IdP, mainly because 1) you, the network administrator, will probably not be the one tasked to do that configuration and 2) there are way to many different IdP-services and I’ve barely seen any of them. This is not going to be a complete guide on how to setup SAML-authentication for VPN on the ASA, we will only cover the SAML-configuration on the ASA and not the configuration of basc VPN-settings like Group Policies etc. In SAML-terms the ASA will be acting as a Service Provider (SP).
Since the VPN login will look the same as for other applications used by the users, they will be very familiar with the interface. It is very common for companies and organizations to design their own login-page using their brand colors and logotypes to make users feel at home. I am not going to go into detail how SAML-authentication works but the main thing about the SAML-authentication flow is that when you initiate a VPN-session in An圜onnect (by typing in the URL/IP to your ASA and clicking “Connect”) instead of getting the normal An圜onnect login-prompt you will be redirected to a so called Identity Provider (IdP) which will present you with a login website that opens up inside An圜onnect (at least if you are using An圜onnect version 4.6 or newer). Today, there are many different products that use SAML-authentication from well-known companies like Microsoft, Okta, Ping Identity and even Cisco (through their Duo service).Īs of this writing, successful SAML-authentications taking place for VPN does not “carry over” for use with other services because of how An圜onnect works… so keep that in mind for your own implementation. The general idea of SAML is that once you have gone through a succesful authentication, you are handed a sort of cookie or “ticket” inside your web browser that will allow you to automatically be signed into the next service you want to use that also uses the same SAML-authentication. SAML has grown big in the last few years to provide authentication and single sign-on (SSO) experiences for applications like email, websites, ticket services and much more.
However, if your VPN-solution consists of an Cisco ASA-firewall and the An圜onnect VPN software, there is a new option/protocol available to handle authentication: SAML, which stands for Security Assertion Markup Language.
To authenticate end-users that connect to the VPN, it is very common to utilize an external database of users and to communicate with this external database you usually have to use the LDAP or RADIUS-protocol to talk either directly to an LDAP-catalog or to a RADIUS-server (like Cisco’s Identity Services Engine, ISE, for example). Most networking administrators have probably spent at least some time setting up a remote-access VPN for their company or for a customer.
0 kommentar(er)
