Cisco ASA SSL VPN and Cisco AnyConnect Client with SafeNet Trusted Access using SAML 2.0

Overview

This guide shows how to implement adaptive authentication with strong contextual security policies to Cisco ASA SSL VPN and Cisco AnyConnect Client using SAML federation with SafeNet Trusted Access

Prerequisites

  • Cisco ASA 9.7.1.24 and above

  • Cisco AnyConnect 4.6 and above

  • A user with a SafeNet Trusted Access authenticator enrolled

  • Users can authenticate using SafeNet Trusted Access

SafeNet Trusted Access Configuration

Create Cisco ASA Application in SafeNet Trusted Access

Note

Open SafeNet Trusted Access Console (you can use the following direct links based on your availability zone, opens in a new tab)

US Zone SafeNet Trusted Access Console

EU Zone SafeNet Trusted Access Console

Classic Zone SafeNet Trusted Access Console

In the STA Console, add Cisco ASA application by following these steps:

  1. In Applications tab, click on the + button and search for Generic Template

  1. Name the application and choose SAML for the Integration Protocol

  1. Optional - Change the Application Logo by clicking on the default icon. You can download Cisco ASA logo icon here

  1. Clcik Add to add the Cisco ASA Application

  2. Switch to Manual Configuration

  • Download STA Tenant Certificate by clicking Download

  • Note both STA Tenant Issuer/Entity ID and STA Single Sign-On Service URL

  1. Click Next Step

Note

For the next step, leave the STA Application configuration and login to Cisco ASA using ASDM to configure SAML settings that will generate the Metadata file to be imported into the STA Cisco ASA Application to complete the STA Cisco ASA Application configuration

Cisco ASA Configuration

Certificates Configuration

  1. Login to Cisco ASDM

  2. Click on Configuration

  1. Click on Remote Access VPN

_images/asdm_vpn.png

  1. Expand Certificate Management

Note

The CA Certificates section is where the STA certificate will be imported to. The Identity Certificates section is where the Cisco ASA SP certificate will be created

_images/asdm_certs.png

  1. Click on CA Certificates and click on Add

  1. Enter a Trustpoint Name for the STA certificate and browse to the certificate file that was downloaded in in this step

  1. Select the file and click Install

  1. Click Install Certificate

  1. Certificate is installed. Click OK

_images/asdm_cert_installed.png

  1. Import or create a new Cisco ASA Identity Certificate. Enter a Trustpoint Name and select to import a PFX or generate a self-signed certificate

  1. Click Add Certificate

  1. Click OK

_images/asdm_enroll.png

Configure Single Signon Server

  1. Navigate to Clientless SSL VPN Access -> Advanced -> Single Signon Servers and click on Add

  1. Fill in the details based on the information collected in this step

Important

Do not paste https:// from STA Logon links, use the drop down menues to select https, except for IDP Entity ID

Cisco ASA SAML Setting

Note

IDP Entity ID:

STA Issuer/Entity ID (including https)

Sign In URL:

STA Single Sign On Service URL

Sign Out URL:

Leave empty

Base URL:

Cisco ASA URL

Identity Provider Certificate:

Select IDP Certificate created in this step

Service Provider Certificate:

Select SP Certificate created in this step

Request Signature:

Select rsa-sha256

Request Timeout:

Type in value in seconds, e.g. 7200

  1. Click OK

Configure SSL VPN Connection Profile

  1. Navigate to Clientless SSL VPN Access -> Connection Profiles and click on Add

  1. Enter Name and Alias

Note

Alias is used to allow users to select the Connection Profile during connection

  1. Select SAML Authentication Method

  2. Select the SAML Server created in the previous step as the SAML Identity Provider

  1. Expand Advanced and click on Clientless SSL VPN

  2. Make sure Alias is Enabled

  1. Click OK

  2. Click Apply and Save to save the configuration

Configure AnyConnect VPN Connection Profile

Important

To be able to configure AnyConnect VPN settings, AnyConnect Client image has to be uploaded to Cisco ASA, the image can be downloaded from Cisco support site. The download requires a valid Cisco support contract.

  1. Navigate to Network (Client) Access -> AnyConnect Connection Profiles and click on Add

  1. Enter Name and Alias

Note

Alias is used to allow users to select the Connection Profile during connection

  1. Select SAML Authentication Method

  2. Select the SAML Server created in the previous step as the SAML Identity Provider

  1. Expand Advanced and click on Group Alias/Group URL

  2. Make sure Alias is Enabled

  1. Click OK

  2. Click Apply and Save to save the configuration

Note

Configure any additional VPN settings such as IP Assignment, DNS, Split Tunnel, Published Applications etc. as required

Download the Cisco ASA SAML Metadata

  1. In a browser, navigate to https://<fqdn-asa>/saml/sp/metadata/<connection profile name>

Example of metadata:

  1. Save the metadata from the browser as file.xml

Complete STA Cisco ASA Application Configuration

  1. Return to the STA Cisco ASA Application Configuration

  2. Click Upload Generic Template Metadata

  1. Click Browse and browse to the metadata file downloaded here

The metadta is uploaded and all the required configurations are automatically set

  1. Under User Login ID Mapping, select SAS User ID

  1. Click Save Configuration

_images/save_config.png

  1. Assign the Cisco ASA application to your target users by clicking on Assign and selecting All Users or Users from any of these user groups:

  1. Click Save Configuration

Configure STA Authentication Policy

In the STA Console, create a new Access Policy for FortiGate application by following these steps:

  1. Go to the Policies tab

  2. Click + to add a new Policy

  3. Name the new Policy, for example FortiGate VPN

  • Polcy Scope

    1. Under Users, click All Users to apply to all users or Any of these User Groups: to apply to specifc User Groups

    2. Under Applications, click Any of these Applications, click in the field and select Cisco ASA application

  • Default Requirements

    1. Select the desired authentication method for example Password and Every access attempt and Token Based Authentication (OTP) and Every access attempt

  1. Click Save to save the new Policy

The SafeNet Trusted Access configuration of the Cisco ASA application is complete

Test the solution

Using Cisco ASA SSL VPN Portal

  1. Navigate to the Cisco ASA SSL VPN URL

  2. Click Login

  3. Authenticate in STA, using all required credentials, based on the STA Authentication Policy

_images/asa_sslvpn.gif

Using SafeNet Trusted Access User Portal

  1. Navigate and login to the SafeNet Trusted Access User Portal

  2. Click on the Cisco ASA Application

  3. You are redirected and logged in to the Cisco ASA SSL VPN Web Portal

_images/asa_userportal.gif

Using Cisco AnyConnect VPN Client

  1. Launch the Cisco AnyConnect Client on the client machine

  2. Type in the Cisco ASA VPN URL and click Connect to initiate the connection

  3. Authenticate in STA, using all required credentials, based on the STA Authentication Policy

_images/asa_anyconnect.gif