{"type":"doc","content":[{"type":"heading","attrs":{"level":1},"content":[{"text":"Summary","type":"text"}]},{"type":"paragraph","content":[{"text":"Following these steps will help you configure your Cisco ASA firewall VPN to send SAML auth requests to your Shibboleth servers to authenticate your users. Our preferred way to limit VPN access to groups was to do LDAP searches against our AD, but this might now work for you environment. ","type":"text"}]},{"type":"paragraph","content":[{"text":"Any config changes to the ASA should supplement any existing configurations that you have and not always replace. ","type":"text"}]},{"type":"heading","attrs":{"level":1},"content":[{"text":"Know limitations:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"External browser support is bad for Linux. I am not sure if there is a granular way to allow option that feature, so if its on you might break Linux users.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"OpenConnect doesn't work with SAML, there are some python wrappers but its not for the casual user.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"AnyConnect on Linux breaks a lot, from OS updates. Based on my anecdotal experiences.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Even with External browser support enabled, you might not get true SSO. If you IP changes when you connect to the VPN and your next SSO auth is with the new IP. Your session is probably attached you “real” IP and will probably need to reauthenticate.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"SAML proxy is not working for us in internal browser.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"If you were using Duo MFA on the web portal before and used there instructions to do so, then you should reverse it. (","type":"text"},{"type":"inlineCard","attrs":{"url":"https://duo.com/docs/ciscoasa-ldap#modify-the-sign-in-page"}},{"text":" )","type":"text"}]}]}]},{"type":"heading","attrs":{"level":1},"content":[{"text":"Config changes for the ASA","type":"text"}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Generate the cert to be used by the ASA as the SP. Don’t use the web certs. It should be self signed so that its long lived.","type":"text"}]},{"type":"codeBlock","attrs":{"language":"shell"},"content":[{"text":"crypto key generate rsa label SpSigningKeymodulus 2048\n\ncrypto ca trustpoint spSigningCert\nkeypair SpSigningKey\nsubject-name cn=*FQDN*\nenrollment self\nexit\ncrypto ca enroll spSigningCert","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Install you Shibboleth IdP certs. You only need your signing cert, if the encryption is different.","type":"text"}]},{"type":"codeBlock","attrs":{"language":"shell"},"content":[{"text":"crypto ca trustpoint SAML-IDP-SHIB\nrevocation-check none\nno id-usage\nenrollment terminal\nno ca-check\ncrypto ca authenticate SAML-IDP-SHIB\n(paste cert)\nquit\nexit","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"If you are also setting up LDAP, add your LDAPS cert chain if applicable. Use chain instead of cert if possible to allow for easier renewals.","type":"text"}]},{"type":"codeBlock","attrs":{"language":"shell"},"content":[{"text":"crypto ca trustpoint AD-LDAPS\nrevocation-check none\nno id-usage\nenrollment terminal\nno ca-check\ncrypto ca authenticate AD-LDAPS\n(paste cert)\nquit\nexit","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Setup the WebVPN. The base-url needs to match the host that Shibboleth redirects back to.","type":"text"}]},{"type":"codeBlock","attrs":{"language":"shell"},"content":[{"text":"webvpn\nsaml idp YOUR_SP_ENTITY_ID\n url sign-in \n base-url \n trustpoint idp SAML-IDP-SHIB\n trustpoint sp spSigningCert\n signature rsa-sha256\n no force re-authentication\n timeout assertion 300","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Depending on what your need is, you might want to map users to specific polices or limit access. I used AD groups for this, and created an LDAP attribute map to bring map the groups. The ASA will take the nameID and do a ldap lookup on it.","type":"text"}]},{"type":"codeBlock","attrs":{"language":"shell"},"content":[{"text":"!create attriute map\nldap attribute-map LDAP-AD-ATTRIB-MAP\nmap-name memberOf Group-Policy\nmap-value memberOf GROUP_DN ASA_GROUPCN VPN_Users_SAML\n!example\n!map-value memberOf CN=vpnUsers,OU=SecGroups,DC=uni,DC=edu VPN_Users_SAML\n\n!create LDAP server group, add a dc. Add as many as you can. My example users ldaps, remove if your not\naaa-server AD-LDAP protocol ldap\naaa-server AD-LDAP protocol ldap\naaa-server AD-LDAP (asaInterfaceName) host *ip/fqdn of dc*\n\tserver-port 636\n\tldap-base-dn ou=users,dc=uni,dc=edu\n\tldap-scope subtree\n\tldap-naming-attribute sAMAccountName\n\tldap-login-password *****\n\tldap-login-dn CN=asaServiceUser,OU=service,DC=uni,DC=edu\n\tldap-over-ssl enable\n\tldap-attribute-map LDAP-AD-ATTRIB-MAP\n\tserver-type microsoft","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"We duplicated our existing group polices on the ASA because we needed to add the session timeout and wanted to leave the old config intact.","type":"text"}]},{"type":"codeBlock","attrs":{"language":"shell"},"content":[{"text":"group-policy VPN_Users_SAML internal from VPN_Users\ngroup-policy VPN_Users_SAML attributes\nvpn-session-timeout 10080","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"For testing, create a new tunnel group to use. After you can confirm that everything is working you can go back and move the SAML auth to the default tunnel group. The metadata is linked to the tunnel group, so you will need to also make changes in the Shibboleth config.","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"In this example the group-url is the testing site. This hides the SAML login from end users until you are ready to migrate everyone. You can login with the AnyConnect client with the URL or use a browser.","type":"text"}]},{"type":"codeBlock","attrs":{"language":"shell"},"content":[{"text":"tunnel-group SAML-IdP-SHIB type remote-access\n\ntunnel-group SAML-IdP-SHIB general-attributes\n\taddress-pool ipv4vpnPool\n\tipv6-address-pool ipv6vpnPool\n\tauthorization-server-group AD-LDAP\ntunnel-group SAML-IdP-SHIB webvpn-attributes\n\tauthentication saml\n\tgroup-url [https://asafqndn.uni.edu/](https://vpn-iti.net.rpi.edu/idpdev)shibboleth enable\n\tsaml identity-provider *entityID of shibboleth serevr*\n\n!after you test, make the default login. You need to remove any group alias and \n!remove the tunnel group list from webvpn\n\ntunnel-group DefaultWEBVPNGroup type remote-access\n\ntunnel-group DefaultWEBVPNGroup general-attributes\n\taddress-pool ipv4vpnPool\n\tipv6-address-pool ipv6vpnPool\n\tauthorization-server-group AD-LDAP\ntunnel-group DefaultWEBVPNGroup webvpn-attributes\n\tauthentication saml\n\tsaml identity-provider *entityID of shibboleth serevr*\nwebvpn\n\tno tunnel-group-list enable","type":"text"}]},{"type":"heading","attrs":{"level":1},"content":[{"text":"Shibboleth Config changes","type":"text"}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Edit the metadata-providers.xml file, if the Shibboleth server can talk to your ASA you can use a FileBacked Provider.","type":"text"}]},{"type":"paragraph","content":[{"text":" Each tunnel group will have its own entity ID. ","type":"text"}]},{"type":"codeBlock","attrs":{"language":"shell"},"content":[{"text":"\n\n\">","type":"text"}]},{"type":"codeBlock","attrs":{"language":"shell"},"content":[{"text":"\n\">","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Allow the release of the attribute that is assigned to the “urn:oasis:names:tc:SAML:2.0:nameid-format:persistent” type.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"A bean needs to be added to your relying party config file to set the nameID correctly and disable encryption.","type":"text"}]},{"type":"codeBlock","attrs":{"language":"shell"},"content":[{"text":"\n\n \n \n >\n >\n \n \n \n \n \n \n \n","type":"text"}]}]}]}],"version":1}

Browser not supported