How to Configure SAML 2.0 for Cisco ASA VPN

Contents

• Supported Features
• Configuration Steps
• Notes

---

Supported Features

The Okta/Cisco ASA VPN SAML integration currently supports the following features:

• IdP-initiated SSO
• SP-initiated SSO
• JIT (Just In Time) Provisioning
• SP-Initiated Single Logout
• Force Authentication

For more information on the listed features, visit the Okta Glossary.

---

Configuration Steps

1. Access your Cisco ASA using SSH.

2. Type the following commands in order to access config terminal:

   1. ciscoasa> enable

   2. ciscoasa# config t

3. Import the OKTA’s signing certificate into a trustpoint:

   1. ciscoasa(config)# crypto ca trustpoint okta

   2. ciscoasa(config-ca-trustpoint)# enrollment terminal

   3. ciscoasa(config-ca-trustpoint)# no ca-check

   4. ciscoasa(config-ca-trustpoint)# crypto ca authenticate okta

   5. Enter the base 64 encoded CA certificate:

      End with the word quit on a line by itself:

      Sign into the Okta Admin Dashboard to generate this variable.

   6. quit

      INFO: Certificate has the following attributes:

      Fingerprint: *************

   7. Do you accept this certificate? [yes/no]: yes

      Trustpoint CA certificate accepted.

      % Certificate successfully imported

4. If you do not have signing PKCS12 certificate, you need to generate it using the following openssl commands:

   1. openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.crt

   2. openssl pkcs12 -inkey key.pem -in certificate.crt -export -out certificate.p12

   3. openssl base64 -in certificate.p12 -out certificate.base64

5. Import the ASA signing PKCS12 into a trustpoint:

   1. ciscoasa(config)# crypto ca import asa_saml_sp pkcs12 [yourPassword]

   2. Enter the base 64 encoded pkcs12. [it should be the content of the certificate.base64 file from step 4]

      End with the word quit on a line by itself:

   3. quit

      INFO: Import PKCS12 operation completed successfully

6. Add Okta as SAML IdP:

   1. ciscoasa(config-webvpn)# saml idp [issuer]

      Where [issuer]: Copy and paste the following:

      Sign into the Okta Admin Dashboard to generate this variable.

      Note: Make a copy of this value, you will need it again in step 10g.

7. Configure the IdP sign-in URL and sign-out URL:

   1. ciscoasa(config-webvpn-saml-idp)# url sign-in [sign-on url]

      Where [sign-on url]: Copy and paste the following:

      Sign into the Okta Admin Dashboard to generate this variable.

   2. [OPTIONAL: SLO]

      ciscoasa(config-webvpn-saml-idp)# url sign-out [sign-out url]

      Where [sign-out url]: Copy and paste the following:

      Sign into the Okta Admin Dashboard to generate this variable.

8. Configure the Okta trustpoint and the ASA trustpoint:

   1. ciscoasa(config-webvpn-saml-idp)# trustpoint idp okta

   2. ciscoasa(config-webvpn-saml-idp)# trustpoint sp asa_saml_sp

9. Configure the Clientless VPN base URL, SAML request signature SAML assertion timeout and Force Authentication:

   1. ciscoasa(config-webvpn-saml-idp)# base-url https://[yourASAbaseURL]

      (for example: https://asahost.com)

   2. ciscoasa(config-webvpn-saml-idp)# signature

   3. ciscoasa(config-webvpn-saml-idp)# timeout assertion 7200

   4. [OPTIONAL: Force Authentication]:

      ciscoasa(config-webvpn-saml-idp)# force re-authentication

10. Configure an IdP for a tunnel group and enable SAML authentication:

    1. ciscoasa(config)# webvpn

    2. ciscoasa(config-webvpn)# tunnel-group-list enable

    3. ciscoasa(config)# tunnel-group cloud_idp_okta type remote-access

    4. ciscoasa(config)# tunnel-group cloud_idp_okta webvpn-attributes

    5. ciscoasa(config-tunnel-webvpn)# authentication saml

    6. ciscoasa(config-tunnel-webvpn)# group-alias cloud_idp enable

    7. ciscoasa(config-tunnel-webvpn)# saml identity-provider [issuer]

       Where [issuer] is the same value generated in step 6a.

11. Get the Assertion Consumer Service URL, SP Entity ID and Single Logout Service URL values:

    1. Get the ASA's SAML SP metadata:

       ciscoasa(config)# show saml metadata cloud_idp_okta

    2. Copy the entityID, AssertionConsumerService and SingleLogoutService attributes values:

       

12. In Okta, select the Sign On tab for the Cisco ASA VPN (SAML) app, then click Edit.

    1. [OPTIONAL: Force Authentication]: Uncheck Disable Force Authentication: box.

    2. [OPTIONAL: SLO]: : Check Enable Single Logout box and upload the certificate.crt file (step 4) as Signature Certificate:

       

    3. Scroll down to the :ADVANCED SIGN-ON SETTINGS: section.

    4. Enter the ACS URL, SP Entity ID and Single Logout URL (optional) values from step 11 into the corresponding fields.

    5. Click Save:

       

13. Done!

---

Notes

SP-initiated SSO

1. Open your Cisco ASA VPN login URL.

2. Select cloud_idp alias from the GROUP dropdown list:

   

3. Click Login: