Cisco Cisco Content Security Management Appliance M390 Guida Utente
14-60
AsyncOS 10.0 for Cisco Content Security Management Appliances User Guide
Chapter 14 Common Administrative Tasks
SSO Using SAML 2.0
•
Enter the service provider’s (appliance’s) Entity ID under Relaying Party Trusts > Properties >
Identifiers > Relaying Party Identifier. Make sure that this value is same as the Entity ID value in
the Service Provider settings on your appliance.
Identifiers > Relaying Party Identifier. Make sure that this value is same as the Entity ID value in
the Service Provider settings on your appliance.
•
If you have configured your service provider (appliance) to send signed SAML authentication
requests, upload the service provider’s certificate (used to sign authentication requests) in .cer
format under Relaying Party Trusts > Properties > Signature.
requests, upload the service provider’s certificate (used to sign authentication requests) in .cer
format under Relaying Party Trusts > Properties > Signature.
•
If you plan to configure AD FS to send encrypted SAML assertions, upload the service provider’s
(appliance’s) certificate in .cer format under Relaying Party Trusts > Properties > Encryption.
(appliance’s) certificate in .cer format under Relaying Party Trusts > Properties > Encryption.
•
Set the Secure-hash Algorithm to SHA-1 under Relaying Party Trusts > Properties > Advanced.
•
Edit the Claim Rule and add an Issuance Transform Rule to send the LDAP attribute for email
address as an outgoing claim type (email address).
address as an outgoing claim type (email address).
•
Add a custom rule to include
SPNameQualifier
in the response. The following is a sample custom
rule:
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"] =>
issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType =
c.ValueType,
Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] =
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequali
fier"] = "https://<appliance-hostname>:83");
Configure PingFederate 7.2 to Communicate with Cisco Content Security Management Appliance
The following are the high level tasks you need to perform to configure PingFederate 7.2 to communicate
with your appliance. For complete and detailed instructions, see Ping Identity documentation.
with your appliance. For complete and detailed instructions, see Ping Identity documentation.
•
Add your service provider’s (appliance’s) Assertion Consumer URL as an endpoint under protocol
settings.
settings.
•
Enter the service provider’s (appliance’s) Entity ID under SP Connection > General Info > Partner's
Entity ID (Connection ID). Make sure that this value is same as the Entity ID value in the Service
Provider settings on your appliance.
Entity ID (Connection ID). Make sure that this value is same as the Entity ID value in the Service
Provider settings on your appliance.
•
If you have configured your service provider (appliance) to send signed SAML authentication
requests, upload the service provider’s certificate under Signature Verification section (SP
Connection > Credentials > Signature Verification > Signature Verification Certificate).
requests, upload the service provider’s certificate under Signature Verification section (SP
Connection > Credentials > Signature Verification > Signature Verification Certificate).
•
If you plan to configure PingFederate to send encrypted SAML assertions, upload the service
provider’s (appliance’s) certificate under Signature Verification section (SP Connection >
Credentials > Signature Verification > Select XML Encryption Certificate).
provider’s (appliance’s) certificate under Signature Verification section (SP Connection >
Credentials > Signature Verification > Select XML Encryption Certificate).
•
Edit Attribute Contract to send the LDAP attribute- email address (Attribute Sources & User Lookup
> Attribute Contract Fulfillment).
> Attribute Contract Fulfillment).
Configure Identity Provider Settings on Cisco Content Security Management Appliance
Before You Begin
Make sure that you have:
•
Configured the identity provider to communicate with your appliance. See
•
Copied the identity provider metadata details or the exported metadata file.