Once you have your SSO authentication source working, continue to the next step of creating the Cisco ASA application in Duo. Configure Single Sign-Onīefore configuring Cisco ASA you'll first need to enable Duo Single Sign-On for your Duo account and configure a working authentication source. Duo checks the user, device, and network against an application's policy before allowing access to the application. For example, you can require that Salesforce users complete two-factor authentication at every login, but only once every seven days when accessing Cisco ASA. Duo Single Sign-On acts as an identity provider (IdP), authenticating your users using existing on-premises Active Directory (AD) or any SAML 2.0 IdP and prompting for two-factor authentication before permitting access to Cisco ASA.ĭuo Single Sign-On is available in Duo Beyond, Duo Access, and Duo MFA plans, which also include the ability to define policies that enforce unique controls for each individual SSO application. Trusted Endpoints detection on Android does not rely on certificates, so there is no dependency on a specific An圜onnect app version.įamiliarize yourself with the limitations of ASA SAML 2.0 authentication by reviewing the Use Single Sign-On with Clientless SSL VPN documentation in the Cisco ASA Series VPN CLI Configuration Guide.ĭuo Single Sign-On is our cloud-hosted SSO product which layers Duo's strong authentication and flexible policy engine on top of Cisco ASA logins using the Security Assertion Markup Language (SAML) 2.0 authentication standard. Add Duo protection to earlier ASA versions with our ASA LDAPS SSL VPN or ASA RADIUS with An圜onnect configurations.ĭuo Beyond customers should be aware of these An圜onnect client minimum version requirements for Duo's Trusted Endpoints certificate detection.
Prior versions of ASA firmware and An圜onnect do not support SAML login or use a different browser experience. Primary and Duo secondary authentication occur at the identity provider, not at the ASA itself.Ĭisco ASA SSO requires ASA version of 9.7.1.24, 9.8.2.28, 9.9.2.1, or higher of these releases, or 9.10 and later, plus An圜onnect 4.6 or later. This deployment option requires that you have a SAML 2.0 identity provider (IdP) in place that features Duo authentication, like Duo Single Sign-On. Overviewĭuo's SAML SSO for ASA supports inline self-service enrollment and the Duo Prompt for An圜onnect and web-based SSL VPN logins. Duo Federal customers or those looking for an on-premises SSO solution: try Duo Protection for Cisco ASA SSO with An圜onnect with Duo Access Gateway.
0 kommentar(er)
