02-22-2018 12:08 AM
Hello Experts,
My customer raised a question about SAML assertions signature. They confirmed that in their integration with Identity Federation the SAML AuthRequest is not signed by ISE:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL=" https://mydevices.example.com:8444/mydevicesportal/SSOLoginResponse.action"; ForceAuthn="false" ID="_94996df0-0a98-11e8-9ab8-380e4d172cf6_DELIMITERportalId_EQUALS94996df0-0a98-11e8-9ab8-380e4d172cf6_SEMIportalSessionId_EQUALSe8349759-d271-40dd-b6a7-9e9b77fe9d31_SEMI_DELIMITERmydevices.par.michelin.com" IsPassive="false" IssueInstant="2018-02-14T16:42:57.491Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" Cacher le texte cité > <samlp:Issuer xmlns:samlp="urn:oasis:names:tc:SAML:2.0:assertion">http://CiscoISE/94996df0-0a98-11e8-9ab8-380e4d172cf6</samlp:Issuer> <saml2p:NameIDPolicy xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AllowCreate="false" /> <saml2p:RequestedAuthnContext xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Comparison="exact" Cacher le texte cité > <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef> </saml2p:RequestedAuthnContext> </samlp:AuthnRequest>
I haven't found any documentation on the matter. Could you please tell me if this is expected and if we can force the signature in any way?
Thanks,
Mateusz
Solved! Go to Solution.
02-27-2018 09:05 AM
Below is to re-iterate what we discussed:
At present, it's not configurable in ISE to sign SAML AuthRequest. Logout requests are the ones with the option to be signed in the SAML advanced settings.
3.1 HTTP Redirect Binding in SAML 2.0 - Wikipedia says
… In practice, all the data contained in a <samlp:AuthnRequest>, such as Issuer which contains the SP ID, and NameIDPolicy, has been agreed between IdP and SP beforehand (via manual information exchange or via SAML metadata). In that case signing the request is not a security constraint. ...
If needed, please go ahead and log an enhancement request.
02-22-2018 07:05 AM
Reasearching
02-23-2018 05:26 AM
Have you checked these 2 documents -
ISE Design & Integration Guides
Lab Config Guide: ISE 2.1 with Ping Fed for Guest Web Auth & Sponsor Portal SAML SSO
meanwhile I have asked our SME to look into it .
Thanks,
Nidhi
02-23-2018 05:33 AM
Hi Nidhi,
Thank you for looking into it. Yes, I have checked the docs you mentioned, but didn't find the level of details needed to answer these doubts...
I will be looking forward to hearing from the SME.
Thanks,
Mateusz
02-27-2018 09:05 AM
Below is to re-iterate what we discussed:
At present, it's not configurable in ISE to sign SAML AuthRequest. Logout requests are the ones with the option to be signed in the SAML advanced settings.
3.1 HTTP Redirect Binding in SAML 2.0 - Wikipedia says
… In practice, all the data contained in a <samlp:AuthnRequest>, such as Issuer which contains the SP ID, and NameIDPolicy, has been agreed between IdP and SP beforehand (via manual information exchange or via SAML metadata). In that case signing the request is not a security constraint. ...
If needed, please go ahead and log an enhancement request.
09-08-2021 01:06 AM
May we know is there any change/enhancement on this in latest ISE 3.0 or 3.1 ?
We are doing ISE SAML integration and encounters the same problem.
Thanks for the comments.
09-08-2021 03:15 PM
There is still no configuration option for this in ISE 3.0/3.1 and I was not able to find any enhancement request filed related to this.
The customer can use the Make a Wish feature to request this or you can reach out to the PM team internally via cs.co/ise-pm.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: