How to Create a Microsoft Azure AD (SAML) Realm for Active Authentication (Captive Portal)
This topic discusses the high-level tasks of creating a Microsoft Azure Active Directory (AD) realm for use with the Cisco Security Cloud Control.
Before you begin
If you enabled Change Management, you must open or edit, assign, and approve a ticket for each of the following objects before you can create the realm:
-
Base URL
-
Service provider certificate enrollment (PKCS12 format)
-
Identity provider certificate enrollment (manual format)
-
The realm itself (create and assign the ticket until realm creation is complete, then approve it)
For more information, see Opening a Ticket for Configuration Changes and Policies and Objects that Support Change Management.
Procedure
| Command or Action | Purpose | |
|---|---|---|
Step 1 | Create a fully-qualified host name (FQDN) using your DNS server and upload the Threat Defense's internal certificate to the Cisco Security Cloud Control. You can consult a resource such as this one if you've never done it before. Specify the IP address of a routed interface on one of the devices managed by your Cisco Security Cloud Control. | Consult a DNS server reference. |
Step 2 | Enable the Cisco Secure Dynamic Attributes Connector. | The Cisco Secure
Dynamic Attributes Connector is required to use a Microsoft Azure AD realm. You can do it first or you can enable it when you create the realm. . |
Step 3 | Create a network object with an associated internal certificate. | |
Step 4 | Get a signed certificate and upload it to the Secure Firewall Threat Defense to which Azure AD authentication requests will be sent. | The certificate should be signed by a trusted Certificate Authority (CA) and delivered to you in .p12 format (also referred to as PKCS#12; see also this article on ssl.com). For background, see the section on public key infrastructure in Cisco Secure Firewall Management Center Device Configuration Guide or stackoverflow.com. To upload the signed certificate, see Installing a Certificate Using a PKCS12 File. |
Step 5 | Configure Microsoft Azure AD basic settings. | Several configuration tasks are required, including setting up an event hub, giving your application permission to the Microsoft Graph API, and enabling the audit log. |
Step 6 | Create a single sign-on (SSO) app in Azure AD. | The SSO app enables users that request access to a protected network resource to authenticate with Azure AD. The SSO app has both the federation XML that you can use to simplify realm creation as well as the identity provider certificate the Secure Firewall Threat Defense requires to security authenticate with Azure AD. |
Step 7 | Get the information required to configure your Microsoft Azure AD realm. | This information includes client and tenant IDs, client secret, and other information store in Microsoft Azure AD. See Get Required Information For Your Microsoft Azure AD Realm. |
Step 8 | Configure a decryption policy with a Decrypt - Resign rule for the Azure Authentication Service so users can access web pages using the HTTPS protocol. | The Microsoft Azure AD realm can authenticate users only if the HTTPS traffic is decrypted before the traffic is sent to the realm. The Microsoft Azure AD realm itself is seen by the system as the Azure Authentication Service application. |
Step 9 | Create identity policy with an active authentication rule. | The identity policy enables selected users in your realm access resources after authenticating with the SAML realm. For more information, see Create an Identity Policy. |
Step 10 | Create access control policies and rules using your Microsoft Azure AD realm. | Unlike other types of realms, you do not need to create an identity policy or associate the identity policy with an access control policy. See Creating a Basic Access Control Policy and Create and Edit Access Control Rules. |
Step 11 | Associate the identity and decryption policies with the access control policy from step 3. | This final step enables the system to authenticate users with the Microsoft Azure AD realm. For more information, see Associating Other Policies with Access Control. |