De la Superintendencia de Economía Popular y Solidaria

Before you begin Make sure that you have:

• Configured your appliance as a service provider. SeeConfigure Cisco Email Security Appliance as a Service Provider, on page 63.

• Copied the service provider metadata details or exported the metadata file. SeeConfigure Cisco Email Security Appliance as a Service Provider, on page 63.

Procedure

Step 1 On the identity provider, do one of the following:

• Manually configure the details of the service provider (your appliance).

• If your identity provider allows you to load the service provider details from a metadata file, import the metadata file.

If you have configured your appliance to sign the SAML authentication requests or you plan to encrypt SAML assertions, make sure that you add the relevant certificate to the identity provider.

For identity provider-specific instructions, see:

•Configure AD FS to Communicate with Cisco Email Security Appliance, on page 67.

•Configure Duo Access Gateway to Communicate with Cisco Email Security Appliance, on page 67. •Configure Azure AD to Communicate with Cisco Email Security Appliance, on page 68.

Step 2 Note down the identity provider metadata or export the metadata as a file.

System Administration Configuring the Identity Provider to Communicate with Cisco Email Security Appliance

What to do next

Configure the identity provider settings on your appliance. SeeConfigure Identity Provider Settings on Cisco Email Security Appliance, on page 68.

Configure AD FS to Communicate with Cisco Email Security Appliance

The following are the high level tasks you need to perform to configure AD FS (2.0 and later) to communicate with your appliance. For complete and detailed instructions, seeMicrosoft documentation.

• Add the service provider’s (appliance’s) Assertion Consumer URL as a relaying party.

• Enter the service provider’s (appliance’s) Entity ID under Relaying Party Trusts > Properties > Identifiers > Relaying Party Identifier. Make sure that this value is same as the Entity ID value in the Service Provider settings on your appliance.

• If you have configured your service provider (appliance) to send signed SAML authentication requests, upload the service provider’s certificate (used to sign authentication requests) in .cer format under Relaying Party Trusts > Properties > Signature.

• If you plan to configure AD FS to send encrypted SAML assertions, upload the service provider’s (appliance’s) certificate in .cer format under Relaying Party Trusts > Properties > Encryption. • Set the Secure-hash Algorithm to SHA-1 under Relaying Party Trusts > Properties > Advanced. • Add a custom rule to include SPNameQualifier in the response. The following is a sample custom rule:

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer=

c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",

Properties ["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified");

• Edit the Claim Rule and add an Issuance Transform Rule to send the LDAP attribute for email address as an outgoing claim type (email address). Also ensure that you add an Issuance Transform Rule to send the LDAP attribute for group attribute as an outgoing claim type (unspecified groups).

Configure Duo Access Gateway to Communicate with Cisco Email Security Appliance

The following are the high level tasks you need to perform to Duo Access Gateway to communicate with your appliance. For complete and detailed instructions, seeDuo Security Documentation.

• Add the service provider’s (appliance’s) Assertion Consumer URL as the service provider endpoint that receives and processes SAML assertions.

• Enter the service provider’s (appliance’s) Entity ID under Duo Admin Panel > Applications > Protect an Application > SAML Service Provider. Make sure that this value is same as the Entity ID value in the Service Provider settings on your appliance.

• If you have configured your service provider (appliance) to send signed SAML authentication requests, upload the service provider’s certificate (used to sign authentication requests) in .cer format when you configure the authentication source on the Duo Access Gateway.

System Administration

• If you plan to configure Duo to send encrypted SAML assertions, upload the service provider’s (appliance’s) certificate in .cer format when you configure the authentication source on the Duo Access Gateway.

• Select the NameID format as “unspecified” under Duo Admin Panel > Applications > Protect an Application > SAML Service Provider > SAML Response.

• Set the Secure-hash Algorithm to SHA-256 under Duo Admin Panel > Applications > Protect an Application > SAML Service Provider > SAML Response.

• Save the SAML - Service Provider Setting as a configuration file on the Duo Admin Panel and import the configuration file as a SAML application on the Duo Access Gateway.

Configure Azure AD to Communicate with Cisco Email Security Appliance

The following are the high level tasks you need to perform to Azure AD to communicate with your appliance. For complete and detailed instructions, seeMicrosoft Azure AD Documentation.

• Add the service provider’s (appliance’s) Assertion Consumer URL as the service provider identifier that receives and processes SAML assertions.

• Enter the service provider’s (appliance’s) Entity ID in the Azure Portal under Enterprise Application > New Application > Non-gallery application > Single Sign-On > Basic SAML Configuration. Make sure that this value is same as the Entity ID value in the Service Provider settings on your appliance. • If you have configured your service provider (appliance) to send signed SAML authentication requests,

upload the service provider’s certificate (used to sign authentication requests) under SAML Signing Certificate section (Enterprise Application > New Application > Non-gallery application > Single Sign-On > SAML Signing Certificate).

• Configure a Group Claim under User Attributes and Claims section (Enterprise Application > New Application > Non-gallery application > Single Sign-On > User Attributes and Claims) and add the group attribute.

• Add users and/or groups under Azure Application created for SAML > Users & Groups to control users who can login to this Azure SAML application..