Site Overlay

Cisco ISE Admin Portal Login via Okta SAML SSO


In this article I am going to explain how to leverage Cisco ISE and Okta Integration for implementing Single Sign On (SSO) for Cisco ISE Admin portal. In addition, this solution allows you to use One Time Password (OTP) for login flow in to the Cisco ISE GUI admin portal. 

Before moving on to the configuration part, it is good idea to understand some glossaries. Security Assertion Markup Language (SAML) is an open standard that allows Identity Source Provided (IdP) in order to pass authorization credentials to Service Provider (SP). SAML transactions use XML for standardized communications between the identity provider, in our case Okta, and service providers which in this scenario is Cisco ISE Admin Portal. The XML document that IdP sends to the SP includes user authentication status, user’s attributes, and authorization decision. This XML document is called SAML Assertion

The below diagram demonstrates transactions between a user browser, Cisco ISE admin portal (SP), and Okta (IdP). 


 The configuration steps are quite straight forward, however they must be done in the exact order. 

Cisco ISE Configuration Part 1

Step 1: Configure Okta as an external identity source

In the Cisco ISE navigate to the following direction.
Administration -> Identity Management -> External Identity Sources > SAML Id Providers and click the Add button. Enter the Identity Source Provider name, leave other tabs as it is and click on the Submit button. 

Step 2: Configure Cisco ISE Admin access authentication method

Now we need enable Cisco ISE to use the defined SAML Identity Source. Thus, navigate to Administration ->System -> Admin Access -> Authentication -> Authentication Method. Make sure the Password Based radio button is checked. Select the Okta IdP, which is created in the previous step, by clicking on the Identity Source drop down, and click Save.

Step 3: Export Service Provider Information

After you select the Okta IdP as an admin access authentication method, Cisco ISE creates Service Provider Information. In order to export the information, navigate to  Administration -> Identity Management -> External Identity Sources -> SAML Id Providers -> [Okta SAML Provider]. Click on the Service Provider Info tab, and click the Export button as shown in the image.

An XML file will be downloaded, and you need to open it with a text editor tool. Interested attributes in this XML file are as follows and we need them creating an application within the Okta.

  • entityID
  • AssertionConsumerSrevice (Normally you should see two of it with different index at the end)
<?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://CiscoISE/a486c6ef-6c77-4bc1-bf6d-4e479b3aeae8">
<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="">
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="" index="0"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="" index="1"/>

Okta Configuration

Step 4: Creating an Okta SAML Application

Now we need to define the Cisco ISE Admin Portal as a SAML Application within the Okta. To do so, login to Okta admin portal, and navigate to Applications -> Applications and click on Create App Integration button. In the Create a new app integration select SAML 2.0 radio button, and click Next.

In General Settings, provide a proper name for the Cisco ISE Admin Portal application, in my case ISE_Admin_Portal, and click Next. Optionally, you can upload a logo for your application. 

In Configure SAML, in SAML Settings part, the following information must be provided:

  • Single sign-on URL -> this is the AssertionConsumerSrevice index 1 in the XML file (step 3)
  • Audience URI (SP Entity ID) -> this is the entity ID in the XML file (step 3)

In order to Okta sends group attribute values to Cisco ISE, Group attribute statement must be set according to the following image.

Notes: the Name parameter will be used latter in the Step 7

Then, click on Next and click on finish. Make sure you assign groups to the application. 
Then move to Sign On tab of the application, scroll down to the bottom. In the SAML Signing Certificate, click on Action button for the active certificate, and do:

  • Click on View IdP metadata, and save it as an XML file.
  • Download the certificate file 

Cisco ISE Configuration Part 2

Step 5: Upload Okta Certificate to Cisco ISE

Navigate to System -> Certificate -> Certificate Management -> Trusted Certificate and import the certificate you have downloaded from Okta. 

Step 6: Upload MetaData from Okta to Cisco ISE

Now, we are going to tell Cisco ISE how to redirect users to Okta for authentication. For doing this navigate to  Administration -> Identity Management -> External Identity Sources -> SAML Id Providers -> [Okta SAML Provider] and switch to Identity Provider Config tab. Click on Brows, and select the Metadata XML file you have downloaded form Okta earlier, and Click Save

Step 7: Configure SAML Groups on Cisco ISE

Groups configuration is mandatory for Cisco ISE Admin Portal. Thus, switch to Groups tab, and click on Add button. Information should be provided as blow, and keep in mind that for each Okta group that you want to have access to the Cisco ISE Admin Portal, you need to add a new group name in the Cisco ISE.

  • Name in Assertion: <Okta Group Name>
  • Name in ISE: the admin groups you have in Cisco ISE, and you must choose within the drop down menu 

In the Group Memberships Attribute you need to enter Groups ( you have defined it in the step 4 as a group membership attribute)

Now you can open Cisco ISE in another browser and you must see the new login option. 

If you get an error or see any issues, I would suggest the below link for troubleshooting. It tells you how to enable Debug in Cisco ISE.  

Cisco Docs

Leave a Reply

Your email address will not be published. Required fields are marked *