Cisco ACI 3.0 SAML (or LDAP…or TACACS) and the CiscoAVPair value

Recently I’ve been building my first ACI installation.  We’re doing it on our own and I’m reaching out to TAC and a key friend for help if I get stuck on anything that googling doesn’t solve.  It’s been going pretty well actually and have only run into a few snags (which I will document here in other posts).

Our plan for this first build is to make a few critical things work properly and then blow the whole thing away and rebuild it using as much scripting as possible.  It’s a great way to learn new tech.

One of our final tasks was to get authentication working and our systems team would love to move as many things to SSO/SAML as possible, so that was the thing to implement on the ACI admin pages.  Here’s the problem we’ve had: you need to return a specific value for “CiscoAVPair” and man, it’s hard to find documentation that isn’t all screwed up on the format, because it matters…A LOT.

First off the variable name is “CiscoAVPair” (no quotes).  NOT “ciscoAVpair” or “CiscoAVpair” or “CiscoAvPair”  or “Cisco-avpair” I’ve found documents (yes, from Cisco) with all those different capitalization.

Second thing is the value of the string:

shell:domains=all/admin/

No spaces and make sure to get that slash in at the end.  “all” is the security domain and “admin” is the role.

Leave a Reply

Your email address will not be published. Required fields are marked *