Chapter 8: Identity, Policy, and Unified Management
Learning Objectives
Explain how identity integration drives unified policy — how identities from SAML IdPs, SCIM provisioning, Duo, and Cisco ISE are normalized into a single identity plane that policy rules reference.
Describe the unified policy model across all security services — how one policy engine applies consistent decisions across SWG, CASB, ZTNA, DNS security, and VPNaaS, including context, posture, and rule ordering.
Understand reporting, dashboards, and operational visibility — how the Overview and Security Insights dashboards, Activity Search, SIEM/log export, and Experience Insights give both in-console and analytics-grade visibility.
Pre-Reading Check — Identity Integration
1. What core question does SAML answer that SCIM does not?
Which users and groups exist ahead of any loginWho is logging in right now, at runtimeHow much data a user has transferredWhich SaaS apps are unsanctioned
2. In the Okta group-push pitfall, what silently breaks group sync into Secure Access?
Okta sends PUT while Secure Access requires PATCHOkta sends PATCH while Secure Access requires PUTThe SAML certificate has expiredThe clock skew exceeds the allowed window
3. When Duo SSO acts as an IdP proxy, what does it insert into an existing SAML chain?
A new primary directorySCIM provisioningMFA before federating to the backend IdPA storage bucket for logs
4. How does a Cisco ISE Security Group Tag (SGT) reach the Secure Access policy engine?
Via SAML assertion attributes onlyVia pxGrid Cloud consumed by Secure AccessBy manual CSV import exclusivelyThrough the Amazon S3 export path
5. What does Cisco Identity Intelligence (CII) add to the identity plane?
Static, one-time group membershipsDynamic trust/risk levels usable as adaptive policy conditionsA replacement for the primary IdPLong-term log archival
1. Identity Integration
The foundational idea in Cisco Secure Access is that identity is not handled separately per service. Cisco maintains a shared identity plane in Cisco Security Cloud Control, enriched by Cisco Identity Intelligence (CII), and every enforcement surface — SWG, CASB, ZTNA, DNS security, VPNaaS — references that same identity context. Think of a company badge: one badge, and each door reads the same badge and applies its own rule.
Key Points
SAML answers "who is logging in now?" (authentication at runtime); SCIM answers "which users/groups exist?" (provisioning before login). Reliable group-based policy depends on SCIM.
A subtle protocol mismatch can silently break group sync: Okta's custom SCIM connector defaults to PUT, but Secure Access strictly requires PATCH — logs show SUCCESS while memberships never update.
Duo SSO can act as an IdP or IdP proxy, inserting MFA into an existing SAML chain without re-architecting the identity stack.
Cisco ISE extends on-prem context (AD groups, posture, SGTs) into the cloud engine via pxGrid Cloud; for VPNaaS it can also serve as a RADIUS AAA server.
CII turns static group rules into adaptive, risk-aware access by attaching dynamic trust/risk levels to every identity.
SAML vs. SCIM
SAML delivers attributes at sign-in; that is fine for authenticating a session but fragile as the sole basis for group-based policy (SAML group claims hit size limits, struggle with nested groups, and reflect only the moment of login). SCIM continuously provisions user lifecycle events (create, update, disable), group memberships, and attributes into Cloud Control — so access can be revoked the moment a user is disabled in Entra ID, not at their next login.
SCIM provisions ahead of time; SAML authenticates at runtime
Two protocols, two questions. SCIM keeps the directory current before anyone logs in; SAML resolves who is signing in at the moment.
Figure 8.1: SAML runtime authentication versus SCIM ahead-of-time provisioning
sequenceDiagram
participant IdP as "Identity Provider (Entra/Okta/Duo)"
participant SCIM as "SCIM Provisioning"
participant CC as "Cisco Security Cloud Control"
participant User as "User Browser/Client"
participant SA as "Secure Access Policy Engine"
Note over IdP,CC: Provisioning (continuous, before login)
IdP->>SCIM: Push create/update/disable + group membership (PATCH)
SCIM->>CC: Sync users, groups, attributes
Note over CC: Identity directory kept current independent of any login
Note over User,SA: Authentication (at runtime)
User->>IdP: Sign-in request
IdP->>User: SAML assertion (UPN/email, groups, attributes)
User->>CC: Present SAML assertion
CC->>CC: Normalize into unified identity model
CC->>SA: Resolved identity + groups + attributes
SA->>User: Policy decision applied
Duo MFA and Device Trust
Duo SSO can authenticate against Duo's own database, on-prem Active Directory, or another SSO IdP. As a proxy, the flow is: Secure Access sends a SAML AuthnRequest to Duo → Duo performs MFA → Duo federates to the backend IdP for primary auth → Duo returns a SAML assertion to Secure Access. Risk-based conditions decide when a step-up is warranted (compliant/known → SSO; new device → MFA; non-compliant → deny). Device trust adds posture checks (OS version, EDR/AV presence, disk encryption, jailbreak/root) before ZTNA access — which is why "I passed MFA but still can't reach the app" is usually a posture problem, not an authentication one.
Figure 8.2: Duo SSO as an IdP proxy inserting MFA into an existing SAML chain
sequenceDiagram
participant SA as "Secure Access"
participant Duo as "Duo SSO (IdP proxy)"
participant User as "User"
participant Backend as "Backend IdP (ADFS/Entra/Okta)"
SA->>Duo: SAML AuthnRequest
Duo->>User: MFA challenge (push / passcode)
User->>Duo: MFA response
Duo->>Backend: Federate for primary authentication
Backend->>Duo: Primary auth result + identity/groups
Duo->>SA: SAML assertion (identity + group information)
User and Group-Based Policy
Once identity is integrated, its attributes become the raw material for policy: User ID (UPN/email), Groups (via SCIM and SAML), Roles/labels, ISE-derived SGTs, and CII trust/risk levels. Because every service references the same identity objects, one group definition drives coherent behavior everywhere.
Two-step: Entra SCIM (token + URL) and Entra SAML (SSO)
Okta
Yes
Yes
Must use a template that sends PATCH for group membership
Ping (PingOne/PingFederate)
Yes
—
SAMLv2-compliant
Active Directory
Indirect
Indirect
Reaches Secure Access via ADFS, Duo SSO, or Cisco ISE
Post-Reading Check — Identity Integration
1. What core question does SAML answer that SCIM does not?
Which users and groups exist ahead of any loginWho is logging in right now, at runtimeHow much data a user has transferredWhich SaaS apps are unsanctioned
2. In the Okta group-push pitfall, what silently breaks group sync into Secure Access?
Okta sends PUT while Secure Access requires PATCHOkta sends PATCH while Secure Access requires PUTThe SAML certificate has expiredThe clock skew exceeds the allowed window
3. When Duo SSO acts as an IdP proxy, what does it insert into an existing SAML chain?
A new primary directorySCIM provisioningMFA before federating to the backend IdPA storage bucket for logs
4. How does a Cisco ISE Security Group Tag (SGT) reach the Secure Access policy engine?
Via SAML assertion attributes onlyVia pxGrid Cloud consumed by Secure AccessBy manual CSV import exclusivelyThrough the Amazon S3 export path
5. What does Cisco Identity Intelligence (CII) add to the identity plane?
Static, one-time group membershipsDynamic trust/risk levels usable as adaptive policy conditionsA replacement for the primary IdPLong-term log archival
Pre-Reading Check — Unified Policy Engine
1. What is the architectural heart of the unified policy engine?
Each service maintains its own separate identity configurationThe same identity objects are referenced across every enforcement surfaceRules are evaluated in random orderPolicy is enforced only at the DNS layer
2. A policy rule pairs conditions with an action. Which four dimensions do conditions span?
4. A user authenticates successfully but matches no group-based rule. What is the most common cause?
The Overview dashboard is disabledInconsistent user identifier (email vs. UPN) across IdP/ISE/Secure AccessThousandEyes synthetic tests are failingThe S3 bucket policy is too restrictive
5. In the worked contractor example, what makes the SGT so powerful?
It only applies to the DNS surfaceA network-layer tag becomes a unified identity attribute used across all surfacesIt replaces the need for any IdPIt is generated fresh at each login by SAML
2. Unified Policy Engine
Cisco Secure Access exposes a centralized policy creation process that applies across its SSE and ZTNA services. Think of it as one policy engine with several enforcement surfaces bolted onto it, rather than several independent policy systems: SWG (web), CASB (SaaS), ZTNA (private apps), DNS security (queries), and VPNaaS (tunnels).
Key Points
One engine, several surfaces: the same identity objects are referenced everywhere, so identity is defined once and enforced many times.
A single normalized identity object radiates the same attributes to every enforcement surface — one group definition drives coherent behavior across SWG, CASB, ZTNA, DNS, and VPNaaS.
Context and Posture in Policy Decisions
Identity by itself is often not enough. When ISE is integrated, Secure Access associates SGTs, posture compliance, and RADIUS attributes with a session (via pxGrid/RADIUS), enabling conditions like "SGT = HR" or "ISE posture = non-compliant." CII trust can be a first-class condition too: "if CII trust = low, require reauth or block ZTNA." In the contractor example, an AD group "Contractors" → ISE SGT "Contractor-SGT" → consumed by Secure Access via pxGrid drives every surface at once.
Policy Ordering and the Six-Step Flow
Rules are evaluated in order, top-down. For a typical request the engine proceeds through six stages: (1) authenticate at the IdP, (2) resolve identity in Cloud Control against the SCIM record, (3) enrich with ISE SGTs/posture, (4) classify the request (web/SaaS/private/DNS), (5) evaluate the ruleset (global → identity → trust-based), and (6) enforce at the corresponding surface and log with full context.
The six-step policy-evaluation pipeline, lighting up in sequence
Authenticate → Resolve → Enrich → Classify → Evaluate → Enforce. This same flow is also your troubleshooting map — most policy surprises trace to steps 1–3.
Figure 8.4: The six-step policy-evaluation flow
flowchart TD
A["1. User Authentication redirect to IdP, SAML/OIDC + MFA"] --> B["2. Identity Resolution in Cloud Control match SCIM record, attach groups, CII trust"]
B --> C["3. Context Enrichment ISE SGTs, posture, RADIUS attributes"]
C --> D["4. Request Classification web / SaaS / private app / DNS + destination"]
D --> E["5. Ruleset Evaluation global then identity then trust-based rules, top-down"]
E --> F["6. Enforcement action applied at surface + logs to SIEM/XDR"]
Because identity and policy are unified, logs from every surface carry consistent identity attributes (user, group, SGT, trust level) — precisely what makes troubleshooting and SIEM/XDR correlation tractable. Common failure modes: attribute-mapping mismatches (email vs. UPN), SAML cert/clock-skew errors, SCIM group-sync failures (PATCH vs. PUT), MFA not actually required by policy, and posture unexpectedly blocking access.
Post-Reading Check — Unified Policy Engine
1. What is the architectural heart of the unified policy engine?
Each service maintains its own separate identity configurationThe same identity objects are referenced across every enforcement surfaceRules are evaluated in random orderPolicy is enforced only at the DNS layer
2. A policy rule pairs conditions with an action. Which four dimensions do conditions span?
4. A user authenticates successfully but matches no group-based rule. What is the most common cause?
The Overview dashboard is disabledInconsistent user identifier (email vs. UPN) across IdP/ISE/Secure AccessThousandEyes synthetic tests are failingThe S3 bucket policy is too restrictive
5. In the worked contractor example, what makes the SGT so powerful?
It only applies to the DNS surfaceA network-layer tag becomes a unified identity attribute used across all surfacesIt replaces the need for any IdPIt is generated fresh at each login by SAML
Pre-Reading Check — Visibility and Operations
1. Which dashboard operates at the security-posture altitude, pulling from SWG/ZTNA, CII, DLP, and App Discovery?
5. Why does unified identity make cross-tool SIEM correlation tractable?
Logs from every surface carry consistent identity attributesAll logs are stored only on the endpointEach surface uses a different user identifierRetention is unlimited by default
3. Visibility and Operations
A policy engine you cannot observe is a policy engine you cannot trust. Secure Access is delivered through a single, cloud-managed console (Cisco Security Cloud Control) that unifies policy, client management, and aggregated reporting — so you correlate traffic, threats, policy decisions, and user activity in one place instead of stitching together separate consoles.
Key Points
Three altitudes of visibility: dashboards (Overview for traffic, Security Insights for cross-service posture), Activity Search for per-event forensics, and Experience Insights for end-to-end performance.
Overview shows traffic/data-transfer metrics and top identities/destinations; Security Insights pulls posture from SWG/ZTNA controls, CII, DLP, and App Discovery.
Activity Search queries per-event logs (web, DNS/IP, ZTNA, DLP) with filtering, dashboard pivoting, and export; retention is finite (~30–90 days by license).
Export externally two ways: REST API (near-real-time detection, fine field control) and S3 storage bucket (cost-efficient, batch, long-term retention/analytics). Mature orgs use both.
Match the complaint to the tool: "slow/unreliable" → Experience Insights; "blocked/denied" → Activity Search; posture review → dashboards; retention/audit → SIEM/S3.
Dashboards and Activity Search
The Overview dashboard shows high-level traffic and the amount of data transferred, surfacing top identities, destinations, and locations for quick anomaly spotting. The Security Insights dashboard operates at the posture altitude — policy effectiveness, identity risk (risky OAuth grants), and DLP posture — for review, not per-incident troubleshooting. For event-by-event work you move to Activity Search, which supports filtering by user/group/IP/app/destination/category/policy/action/time, pivoting from a dashboard widget, and CSV/JSON export. Its online logs have a finite retention window, so anything longer-term needs SIEM/S3 export.
Reporting and Log Export / SIEM
In-console dashboards are operational windows; for long-term retention, compliance, and cross-tool correlation you export logs externally. API-based SIEM integration exposes REST APIs that SIEMs (Splunk, QRadar, Elastic) poll and normalize — near-real-time with fine field control. Storage-bucket / S3 export streams JSON/CSV files (written every few minutes) for cheap long-term retention and data-lake analytics. A common split: push only security-critical events via API for live correlation, and send full logs to S3 for archival.
Need
Better fit
Near-real-time detection
API (continuous polling)
Large-volume, long-term storage
S3 / storage bucket
Minimal custom integration
Vendor-provided SIEM app using the API
Flexible data-lake analytics
S3 + ETL stack
Figure 8.5: Two complementary log-export paths — REST API versus S3 storage bucket
graph TD
SA["Secure Access Logs web / DNS / ZTNA / DLP events"] --> API["REST API near-real-time, polled"]
SA --> S3["Storage Bucket / Amazon S3 batch files every few minutes"]
API --> SIEM["SIEM (Splunk/QRadar/Elastic) live correlation with EDR/NDR"]
S3 --> LAKE["Data Lake / ETL Spark, Databricks, BigQuery"]
S3 --> ARCHIVE["Long-term Retention compliance and audit"]
Experience Insights Monitoring
Security visibility answers "was this allowed or blocked?" — but users complain just as often about performance. Cisco ThousandEyes Experience Insights is embedded in the dashboard for end-to-end digital experience monitoring (DEM): endpoint performance (CPU, memory, Wi-Fi), network performance (segment-by-segment latency/jitter/packet-loss with remediations), cloud/app performance (synthetic tests when licensed), and a global endpoint topology map. Instead of chasing network, endpoint, and SaaS status pages separately, an admin selects the affected user/location and pinpoints whether the problem is the endpoint, local network, WAN, Secure Access, or the application — reducing MTTR and reclassifying many "security" tickets. Heuristic: "slow" → Experience Insights, "blocked" → Activity Search.
Post-Reading Check — Visibility and Operations
1. Which dashboard operates at the security-posture altitude, pulling from SWG/ZTNA, CII, DLP, and App Discovery?
5. Why does unified identity make cross-tool SIEM correlation tractable?
Logs from every surface carry consistent identity attributesAll logs are stored only on the endpointEach surface uses a different user identifierRetention is unlimited by default