Cisco Cisco ScanSafe Wi-Fi Hotspot Security Technical Manual

This document describes how to configure Microsoft Active Directory Federated Services (ADFS)
as an Identity Provider (IdP), which sends specific group details to the Cisco Cloud Web Security
(CWS) service, rather than a full list of group memberships.

Cisco recommends that you have knowledge of these topics:

Cloud Web Security configuration with the ScanCenter Portal

●

Security Assertion Markup Language (SAML) authentication

●

Administration of Microsoft ADFS server 

●

The information in this document is based on Microsoft ADFS version 2.0, that runs on Windows
Server 2008 R2.

The information in this document was created from the devices in a specific lab environment. All of
the devices used in this document started with a cleared (default) configuration. If your network is
live, make sure that you understand the potential impact of any command.

When the authentication process between a client browser occurs, the ADFS server (the IdP) and
CWS (the Service Provider  (SP)), all information is encrypted and added to the URL string in the
client browser. This means the URL string is longer when more information is sent to CWS.

When you configure SAML authentication (with Microsoft ADFS) for use with the CWS service,
you should configure a Relying Party Trust to provide the username and group information. 

describes this step in more detail.