Cisco ASA SAML integration

Overview

This Document describes how to integrate a Cisco ASA with Swivel Sentry SSO using SAML.

If your Cisco ASA does not support SAML or you are not licensed to do so, our Sentry SSO with Cisco ASA for RADIUS article can be used instead: it uses a custom login page to redirect to Sentry, and RADIUS to verify that the SAML claim is valid. The solution is not suitable for use with AnyConnect.

Create SAML Keys on CMI

Keys are used within SAML to create a trust relationship between Sentry (acting as an IDP) and a SAML-compliant service provider. It is important that you create your own keys for this integration and keep the private key secure.

Generating Keys

From the CMI Main Menu select the Appliance Option, then select Sentry Menu option.

You will see the keys that are currently being used by Sentry (if any).

_images/GenerateSAMLKeysRSA.jpg

Select Option 1 to Generate New Keys

Give the key a name eg SentryProductionKey Select the key type, RSA or DSA (RSA is recommended for wider compatibility).

Some integrations require keys of a specific type so refer to the appropriate integration guides.

You then need to enter the information required to generate the key. These parameters are:

  • Country Name e.g. US. This should be the standard 2-letter ISO country code.
  • State or Province e.g. Washington.
  • Locality: e.g. Seattle.
  • Organisation: Your Company or Organisation Name.
  • Organisation Unit: Relevant unit, e.g. Information Technology.
  • Common Name: The full server hostname, e.g. sentry.domain.com.
  • Email Address: contact email address for the certificate.

Once you have entered all the details the new keys and certificate will be created.

You will be asked if you want to start using the new key immediately. If you say NO you can select the key at a later date.

Warning

Changing the key being used will impact any existing SAML-based integrations. The existing service providers will need to be updated with the new keys.

Selecting a Key

Select the Select New Key option will list all the keys that have been created on the appliance. You can select the key you wish to use.

Note

You need to restart tomcat for the changes to take effect.

Convert Sentry Keys to PFX

You will need to retrieve the keys generated above from the /home/swivel/.swivel/sentry/keys folder so that you are able to convert from PEM format to a PFX file containing the private key.

The openssl command to achieve a PEM to PFX conversion is as follows:

openssl pkcs12 -export -out Cert.pfx -in cert.pem -inkey key.pem

You will be prompted for a password for the private key and a password for the PFX you are creating This command assumes:

  • Cert.pfx is the file being created
  • cert.pem is the cert file downloadable from the AuthControl keys GUI
  • key.pem is the private key you download from the /home/swivel/.swivel/sentry/keys folder using WinSCP

Download the Sentry SSO IdP metadata

In the Sentry SSO Web GUI (running on port 8443), right click on the ‘View IdP Metadata’ left hand menu option and ‘Save As’ an xml file e.g. SwivelIdPMetadata.xml. We will upload this to the Cisco ASA in a moment.

Configure Cisco ASA

We recommend you protect your SSL VPN endpoint with an SSL certificate and ensure that it is working prior to embarking on this integration.

The below steps all assume that you are administering the Cisco ASA using the ASDM client.

Import the AuthControl Sentry IdP Certificate

In the ASDM, go to Configuration -> Remote Access VPN -> Certificate Management -> Identity certificates.

Click Add. Give the certificate an arbitrary name. Import the PFX created earlier being sure to ensure a password was set and is entered in the Decryption Passphrase field. Browse to the file and finally, click Add Certificate to validate and import the PFX.

Don’t forget to Apply the changes in the ASDM client.

Setup the SAML IdP against the SSL VPN Connection Profile

In the ASDM, go to Configuration -> Remote Access VPN -> Clientless SSL VPN Access -> Connection Profiles, highlight the Connection Profile assigned to the SSL VPN and click the Edit button.

Under the Basic tab, SAML Identity Provider section, click Manage.

Add a new entry:

  • IDP Entity ID: (needs to match the entity ID specified in Sentry SSO metadata XML file, in the AuthControl Sentry GUI -> View Metadata screen you will see the IDP’s entity ID listed at the top) e.g. https://<AuthControlSentryHostname>/sentry/saml20endpoint . The FQDN of this entity ID URL should be valid. If not, login to the Swivel Secure CMI -> Main Menu -> Appliance -> Sentry and set the Base URL to be correct and restart Tomcat. Then view and export the IdP metadata again.
  • Sign In URL: https://<AuthControlSentryHostname>/sentry/saml20endpoint
  • Sign Out URL: https://<AuthControlSentryHostname>/sentry/singlelogout
  • Base URL: (the CiscoASA FQDN hostname) e.g. https://ciscoasa.example.com
  • Identity provider certificate (select the one imported earlier)
  • Service provider certificate (select the SSL certificate assigned to the SSL VPN endpoint)
_images/1200px-Swivel-CiscoASA-SAML-Settings.png

Configure AuthControl Sentry

Log into the Sentry administration console. Select “Applications”. Then click “Add Application” and select the type “SAML - Other”

Enter an arbitrary name e.g. “Cisco ASA”.

“Portal URL” should be the public URL of your Cisco server. It is recommended that you use the same address for “Endpoint URL”, although this will usually be overridden be the address sent by the Cisco login page.

“Entity ID” must be the same as the value shown as “IDP Entity ID” in the Add SSO Server window shown above, so that AuthControl Sentry will recognize the request as coming from this Cisco server.