Rublon

Secure Remote Access

By

Last updated on June 12, 2025

Note: If you are looking for a way to integrate Rublon with Cisco FTD Firepower Firewall, refer to MFA for Cisco AnyConnect VPN with Cisco FTD Firepower Firewall – RADIUS and MFA for Cisco AnyConnect VPN with Cisco FTD Firepower Firewall – LDAP(S).

Overview

The purpose of this document is to enable Rublon Multi-Factor Authentication (2FA) for users logging in to Cisco AnyConnect VPN with ASA. In order to achieve that using SAML, you have to use Rublon Access Gateway. All required steps will be described in this document.

Demo Video

Supported Authentication Methods

Authentication Method Supported Comments
Mobile Push N/A
WebAuthn/U2F Security Key N/A
Passcode N/A
SMS Passcode N/A
SMS Link N/A
Phone Call N/A
QR Code N/A
Email Link N/A
YubiKey OTP Security Key N/A

Demo Video

Before you start

You need to install and configure Rublon Access Gateway itself before configuring Cisco AnyConnect VPN with ASA to work with it. Please read the Rublon Access Gateway documentation and follow the steps in the Installation and Configuration sections. Afterward, continue with this document.

Required Components

  • Cisco ASA Firewall with firmware, versions from 9.6(22) to 9.6.3-20, or 9.9.1-4 and newer (SAML does not work with versions from 9.6.4-3 to 9.8.2.24).
  • ASDM software, version 7.8(2) or higher.
  • Rublon Access Gateway

Cisco ASA initial assumptions

  • Can communicate with Rublon Access Gateway.
  • Has a correctly configured “outside” interface.
  • Has its own properly configured SSL certificate (you can check it in: Configuration → Remote Access VPN → Clientless SSL VPN Access → Connection Profiles → Access Certificate → Device Certificate).
  • Enables access to its configuration by Cisco ASDM application.

Configuration

This section will guide you on how to integrate Rublon Access Gateway with Cisco AnyConnect VPN with ASA using SAML as the integration protocol.

Prepare Group Policy

If you have already defined Group Policy for Protocol of type Clientless SSL VPN, there is no need to create a new one. You can skip this step and go to the next one.

Sign in to your Cisco ASA firewall with ASDM

1. Go to the Configuration tab.

2. Select Remote Access VPN (at the bottom of the page).

3. Extend Clientless SSL VPN Access.

4. Select Group Policies.

5. If you already have a Group Policy, you can move to the next chapter. Otherwise, click Add in the window on the right side.

6. Give a name to your Group Policy. Expand More Options in the General section, and uncheck Inherit in the Tunneling Protocols section.

7. In the same section, check Clientless SSL VPN, and/or SSL VPN Client (if you want to use an Anyconnect Client).

8. Click OK.

9. Click Apply to send the changes to Cisco ASA.

Fetch Rublon Access Gateway metadata

1. Sign in to Rublon Access Gateway.

2. Go to Applications → All applications.

3. Click the Download Certificate button.

4. The certificate file (e.g. idp.crt) will be downloaded automatically. Use this file in Cisco ASA. 

5. Copy Entity ID, SSO URL, LOGOUT URL. You will need this data in the next steps.

Import Rublon certificate to Cisco ASA

1. Sign in to ASDM.

2. Go to the Configuration tab.

3. Select Remote Access VPN (at the bottom of the page).

4. Extend Certificate Management.

5. Choose CA Certificates.

6. Click Add.

7. Specify the name (e.g. Rublon), select Install from file, point to the appropriate file (e.g. idp.crt), and click Install Certificate.

8. The certificate will be displayed on the list.

9. Click Apply to send the changes to Cisco ASA.

Create a Connection profile

1. Prepare Entity ID, SSO URL, LOGOUT URL. You can take this data from Rublon Access Gateway.

2. Sign in to ASDM.

3. Choose the Configuration tab.

4. Choose Remote Access VPN (at the bottom of the page).

5. Extend Clientless SSL VPN Access.

6. Choose Connection Profile and click the Add button.

7. Fill in the following fields:

  • Set the Name (e.g. RublonConnectionProfile).
  • Set the Alias (e.g. Rublon).
  • Choose Authentication Method – Saml.
  • Choose the Group Policy you have created before.
  • Check Enable Clientless SSL VPN protocol.

8. Navigate to the SAML Identity Provider section and click Manage.

9. Click Add in the next window, and:

  • In the IDP Entity ID field, insert Entity ID from Rublon Access Gateway.
  • In the Sign in field, insert SSO URL from Rublon Access Gateway.
  • In the Sign Out URL field, insert Logout URL from Rublon Access Gateway.
  • In the Base URL field, enter the address of the interface “outside Cisco ASA”.
  • Identity Provider Certificate – the certificate idP of Rublon Access Gateway which has been imported before (look at Rublon Access Gateway metadata). 
  • Service Provider Certificate – the certificate configured for Cisco ASA in Connection Profiles → Access Certificate → Device Certificate.

10. Click OK.

11. In SAML Identity Provider, choose the SAML Server that has been created before and click OK.

12. Click Apply to send the changes to Cisco ASA.

IMPORTANT!

If you have used a Connection profile configured with an authentication source (e.g. LDAP), and now this authentication source is also configured in Rublon Access Gateway, we recommend you disable this Connection Profile for security reasons.

Create a new application in Rublon Access Gateway

1. Prepare the Service Provider Cisco Asa metadata XML:

  • Open your web browser and go to the location of the Service Provider Cisco ASA metadata: PROTOCOL://HOST/saml/sp/metadata/CONNECTIONPROFILE
    • PROTOCOL – http or https.
    • HOST – the address of the “outside” interface configured in Cisco ASA.
    • CONNECTIONPROFILE – the name of the connection profile configured with SAML Server.
    • Download the XML file by clicking the right mouse button and selecting Save page as…
    • Save the file in an easily accessible location.

2. Import the Service Provider Cisco ASA XML file to Rublon Access Gateway:

  • Sign In to Rublon Access Gateway.
  • Go to the Application tab.
  • In the Add Application subtab in the Configuration file field, select the XML file you have downloaded before.
  • Click the Upload button.

Manage User Accounts

  • Active Directory users’ email addresses must be provided in general settings for each account (General tab, email field) 
  • User accounts within Cisco ASA must be added for the following elements: Remote Access VPN, AAA Local Users, Local Users. Please use the email address as username.

Log in to ASA VPN with Rublon 2FA

1. Open the address of the outside Cisco interface in your web browser to complete the VPN access process.

2. If you’re using multiple Connection profiles, you should choose the one that uses Rublon.

3. Click Sign In.

4. You will be redirected to the Rublon Access Gateway login page.

5. Provide your username and password. Click SIGN IN.  A window should appear with a selection of various 2FA options from Rublon. Let’s choose Mobile Push.

6. You will be sent a push notification.

7. Tap APPROVE.

8. After successful authentication, Rublon will redirect you back to the AnyConnect interface and you will be logged in.

Troubleshooting

If you encounter any issues with your Rublon integration, please contact Rublon Support.

Related Posts

Rublon Access Gateway

Rublon Access Gateway – Integrations