Configure Secure Firewall Management Center Access with Duo SSO

Available Languages

Download Options

  • PDF     (849.6 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (942.8 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (810.3 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:July 26, 2023
Document ID:220639

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to configure the Secure Firewall Management Center (FMC) to authenticate via Single Sign-On (SSO) for management access.

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:
    • Basic understanding of Single Sign-On and SAML
    • Understanding of the configuration on the Identity Provider (iDP)

    Components Used

    The information in this document is based on these software versions:
    • Cisco Secure Firewall Management Center (FMC) version 7.2.4
    • Duo as the Identity Provider

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Configure

    These iDPs are supported and are tested for authentication:
    • Okta
    • OneLogin
    • PingID
    • Azure AD
    • Others (Any iDP that conforms to SAML 2.0)

    note-icon

    Note: No new license requirement. This feature works in licensed as well as evaluation mode.


    Limitations and Restrictions
    These are known limitations and restrictions for SSO authentication for FMC access:
    • SSO can be configured only for the Global Domain.
    • FMC devices participating in HA Pair requires individual configuration.
    • Only Local/AD admins can configure SSO on FMC (SSO admin users are unable to configure/update SSO settings on FMC).

    Network Diagram

    Network Diagram

    Configuration Steps on the Identity Provider (Duo)

    From the Dashboard, navigate to Applications:

    Example url: https://admin-debXXXXX.duosecurity.com/applications

    Navigate to the Applications Tab

    Select Protect an Application.

    Select Protect an Application

    Search for Generic SAML Service Provider.

    Search for Generic SAML Service Provider

    Download Certificate and XML.

    Download Certificate and XML

    Configure Service Provider.

    Enter the SAML Settings:
    Single sign on URL: https://<fmc URL>/saml/acs
    Audience URI (SP Entity ID): https://<fmc URL>/saml/metadata
    Default RelayState: /ui/login

    Configure Service Provider


    Configure Apply Policy to All Users.

    Configure Apply Policy to All Users

    Detailed Apply a Policy.

    Choose necessary administrator group from the appropriate Custom Policy.

    Detailed Apply a Policy

    Configure necessary administrative settings.

    Configure Necessary Administrative Settings

    Save Application.

    Save Application


    Configuration Steps on Secure Firewall Management Center


    Log in to the FMC with Admin privileges. Navigate to System > Users.

    Firewall Management Center Users

    Click Single Sign-On, as shown in this image.

    Activate Single Sign-On


    Enable the Single Sign-On option (Disabled by default).

    Enable the Single Sign-On


    Click Configure SSO to begin SSO configuration on FMC.

    Configure SSO to Begin SSO Configuration on FMC


    Select the Firewall Management Center SAML Provider. Click Next.


    For the purpose of this demonstration, Other is used.

    Select Firewall Management Center SAML Provider

    You can also choose Upload XML file and upload the XML file retrieved earlier from Duo Configuration.

    Upload XML File


    Once the file is uploaded, the FMC displays the metadata. Click Next, as shown in this image.

    FMC displays Metadata


    Verify the metadata. Click Save, as shown in this image.

    Verify the Metadata

    Configure the Role Mapping/Default User Role under Advanced Configuration.

    Configure the Role Mapping/Default User Role


    In order to test the Configuration, click Test Configuration, as shown in this image.

    Test the Configuration

    Example shown of a successful test connection.

    Example of a Successful Test Connection


    Click Apply to save the configuration.

    Save the Configuration


    SSO is enabled successfully.

    SSO Enabled Successfully

    Verify


    Navigate to the FMC URL from your browser: https://<fmc URL>. Click Single Sign-On.

    Navigate to the FMC URL from your Browser

    You are directed to the iDP (Duo) Login Page. Provide your SSO credentials. Click Sign in.

    DUO Single Sign-On


    If successful, you are be able to log in and see the FMC default page.
    In FMC, navigate to System > Users to see the SSO user added to the database.

    User Database

    Revision History

    Revision Publish Date Comments
    1.0
    26-Jul-2023
    Initial Release

    Contributed by

    • Tristan Conner
      Information Security Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products