Cloud Web Security: Configure user/group attributes with PingFederate and ADFS Whilst using SAML.

Available Languages

Download Options

  • PDF     (5.1 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (78.6 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (74.0 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:September 23, 2015
Document ID:200144

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Introduction

This document describes how to configure PingFederate and ADFS (Active Directory Federated Services) IDP servers to send user/group details to the Cloud Web Security service in order to granularly filter policies.

Requirements

Cisco recommends that you have a basic understanding of the following.

  • Administrative login/access to the PingFed/ADFS server
  • Knowledge of how to navigate the PingFed/ADFS server
  • In order for granulairty to work on HTTPS traffic, HTTPS inspection must be enforced for all traffic

Configuration

Please follow below steps to Configure user/group attributes with PingFederate and ADFS .

PingFed

Under Attribute sources > User lookup tab:

  • Attribute Contract: AUTHENTICATED_GROUPS

        Source:LDAP

        Value: memberOf

  • Attribute Contract: SAML_SUBJECT

        Source: LDAP

        Value: sAMAccountName

ADFS

Under Trust relationships > Relying party trusts tab:

  • LDAP Attribute Contract: SAM-Account-Name

       Outgoing Claim Type LDAP: Name ID

  • LDAP Attribute Contract: Token-Groups

       Outgoing Claim Type LDAP: Group

Verify

Troubleshoot

There is no troubleshooting section for this document.

Revision History

Revision Publish Date Comments
1.0
21-Apr-2016
Initial Release
TAC Authored

Contributed by Cisco Engineers

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products