The Cisco integration supports SAML 2.0 across multiple products including Secure Firewall with AnyConnect VPN, Unified Communications Manager, and Security Cloud, replacing passwords with biometric verification.
Integration type
SSO
Updated
Overview
Cisco supports SAML 2.0 across multiple product lines including Cisco Secure Firewall (formerly Cisco ASA) with AnyConnect/Secure Client for VPN authentication, Cisco Unified Communications Manager (CUCM) for collaboration access, and Cisco Security Cloud for cloud security management. 1Kosmos can be configured as the SAML identity provider for any of these products, replacing password-based authentication with biometric verification via the 1Kosmos mobile app.
For Cisco Secure Firewall, SAML SSO is configured at the tunnel group level via the ASDM interface or CLI. The SP metadata for each tunnel group is retrieved using the CLI command show saml metadata . For CUCM, an XML metadata file is generated per cluster node or per cluster depending on the SSO mode selected. For Cisco Security Cloud, the IdP is configured through the Access and Authentication settings in the management console.
The specific configuration steps depend on which Cisco product and version is being integrated. Contact your 1Kosmos representative to confirm the correct path for your Cisco environment before beginning.
Prerequisites
Active 1Kosmos tenant: Administrator access to the AdminX portal. Contact 1kosmos.com/contact if not yet provisioned.
Cisco product administrator access: Admin rights appropriate to the product being configured (ASDM access for ASA/Secure Firewall, CallManager Administration for CUCM, management console admin for Security Cloud).
Version compatibility: SAML SSO requires Cisco ASA 9.7.1.24 or later with AnyConnect 4.7 or later for VPN use cases. CUCM SAML SSO requires CUCM 10.5 or later. Confirm your version before proceeding.
1Kosmos SAML certificate installed on Cisco (for ASA/Firewall): The 1Kosmos signing certificate must be installed as a trusted CA certificate on the Cisco ASA before the SAML trustpoint can be configured.
1Kosmos mobile app installed: Users must have the app on iOS or Android with biometrics enrolled before testing.
Configuration values
Values to collect from 1Kosmos AdminX (IdP) for Cisco:
Field | Where to find it |
|---|---|
SAML Metadata URL or XML | AdminX → Settings → IdP Configuration → Metadata URL |
SSO URL | AdminX → Settings → IdP Configuration → Single SignOn Service URL |
IdP Entity ID | AdminX → Settings → IdP Configuration → Core Configuration |
Signing Certificate (Base64 PEM) | AdminX → Settings → IdP Configuration → View Certificate → Public Key. Install on ASA as a CA trustpoint for VPN use cases. |
Values to collect from Cisco (SP) for AdminX:
Product | How to retrieve SP values |
|---|---|
Cisco Secure Firewall / ASA (VPN) | Via CLI: |
Cisco Unified Communications Manager (CUCM) | The SP metadata XML file is generated by CUCM after SSO is enabled. Download from the CUCM administration interface. |
Cisco Security Cloud | Found in the SAML Authentication section under Settings → Access and Authentication. Download the SP metadata file. |
Integration steps
Step 1: Install the 1Kosmos signing certificate on Cisco ASA (VPN use case)
Download the 1Kosmos signing certificate PEM file from AdminX → Settings → IdP Configuration → View Certificate.
Log in to the Cisco ASA via ASDM, navigate to Configuration → Device Management → Certificate Management → CA Certificates, and click Install Certificate. Select the 1Kosmos PEM file and install it as a trusted CA trustpoint.
Name the trustpoint (e.g., "1Kosmos-IDP") for reference in the tunnel group SAML configuration.
Step 2: Configure the SAML IdP on Cisco ASA (VPN use case)
Connect to the ASA via SSH and run the following commands to configure 1Kosmos as the SAML IdP for your tunnel group:
Run
show saml metadata "Tunnel_Group_Name"to retrieve the SP ACS URL and Entity ID generated by the ASA for this tunnel group.
Step 3: Add the Cisco product as a SAML application in AdminX
Log in to the AdminX portal and navigate to Applications → Add Application.
Scroll to Custom App, select SAML 2.0 Generic, and click Add integration.
Enter the Cisco product name (e.g., "Cisco ASA VPN") as the Application Name, set Instance to Production, and enter the Cisco login URL as the Application Access URL. Click Next.
Set the NameID Format to
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddressand NameID Value toemail.Add claims mappings for email (Username). Click Next.
Enter the Cisco SP Entity ID and ACS URL from the
show saml metadatacommand output. Set Method to POST, enable Assertion signing, and click Save.
Step 4: For CUCM (additional steps)
In Cisco Unified CM Administration, navigate to System → SAML Single Sign-On and enable SSO.
Upload the 1Kosmos metadata XML file when prompted.
Download the CUCM SP metadata file and use it to create a separate AdminX SAML application entry for CUCM following the same steps as Step 3.
Confirm the NameID format uses
urn:oasis:names:tc:SAML:2.0:nameid-format:transientfor CUCM and that the uid attribute is mapped in the 1Kosmos claims to the user's Active Directory SAMAccountName or equivalent LDAP attribute expected by CUCM.
Step 5: Test the integration
Navigate to your Cisco VPN URL or product login page and select the SSO or SAML login option.
Confirm you are redirected to the 1Kosmos login screen. Open the 1Kosmos mobile app, scan the QR code, and complete biometric authentication.
Confirm you are authenticated and granted access to the Cisco environment.
Test with a single user before enabling SAML as the primary authentication method for all users or tunnel groups.
Attribute mappings
Source (1Kosmos) | Target (Cisco) | Description |
|---|---|---|
user.email | NameID (emailAddress) | Primary SSO identifier for most Cisco products |
user.samaccountname (or uid) | uid attribute | Required for CUCM; must match the AD user account identifier |
user.firstName | first_name | User first name |
user.lastName | last_name | User last name |
Integration notes
Cisco ASA SAML configuration is per tunnel group, meaning each VPN profile that requires SSO needs its own SAML identity provider assignment.
If your ASA has multiple tunnel groups requiring 1Kosmos SSO, repeat the SAML IdP assignment step for each group. After changing the SAML IdP configuration on a Cisco ASA, you must remove and re-apply the saml identity-provider command from the tunnel group for changes to take effect.
For CUCM deployments, the NameID format must be transient as CUCM does not support persistent or email-based NameID formats in its SSO implementation. Confirm the uid attribute mapping in AdminX matches the LDAP attribute your CUCM deployment uses to identify users.
