Download DualShield IdP certificate

  1. Login into DualShield console, select "SSO".
  2. Click the SSO Server's context menu, select "Download IdP Certificate".

Upload DualShield IdP certificate

The DualShield IdP certificate that we downloaded in the last step needs to be uploaded onto the Cisco ASA

  1. Launch Cisco ASDM
  2. Navigate to "Remote Access VPN | Certificate Management| CA certificate"
  3. Click "Add", enter "Name" and install the earlier downloaded IdP certificate

Create Cisco SP certificate

In SAML authentication, Cisco ASA is a so-called Service Provider (SP), and it needs a SSL server certificate. You can ask ASA to create a self-signed certificate.

  1. Launch Cisco ASDM
  2. Navigate to "Remote Access VPN | Certificate Management| Identity Certificates"
  3. Click "Add"

  1. Select the option: "Add a new identity certificate" 
  2. Tick "Generate self-signed certificate"
  3. Click "Add Certificate" 

Extract DualShield IdP metadata

  1. Login into DualShield console, select "SSO".
  2. Click the SSO Server's context menu, select "View".

Make note of "entityID", "Login URL" and "Logout URL" as highlighted above.

Modify "Connection Profiles" in ASA

  1. Launch Cisco ASDM
  2. Navigate to "Remote Access VPN | Clientless SSL VPN Access | Connection Profiles"

  1. Click "Add" in "Connection Profiles" panel

  1. Enter "Name" , "Aliases"
  2. In "Authentication – Method", select "SAML"
  3. Enable "Enable clientless SSL VPN protocol"
  4. Click the "Manage…" button

  1. Click "Add"
  2. Enter the "IdP Entity ID" , "Sign in URL" & "Sign out URL" which were found in previous steps.
  3. Select the correct "Identity Provider Certificate"
  4. Select the correct "Service Provider Certificate"
  5. Select "rsa-sha1" in "Request Signature" drop down list.
  6. Click "OK"


  1. Click "Apply" to save the configuration.

Download Cisco SP metadata

Launch a web browser, navigate to https://[ASA-FQDN]/saml/sp/metadata/[saml vpn connection profile name], i.e. https://192.168.15.1/saml/sp/metadata/samlvpn

Save the metadata displayed in the browser as a text file, then open the file in a text editor, e.g. notepad

In the URLs highlighted above, replace the “+” letter with the string “%2b”

Save the file.


  • No labels