topic Anyconnect authentication using ADFS SAML in Network Security

Anyconnect authentication using ADFS SAML

Pascal Lacroix — Tue, 23 Mar 2021 14:20:42 GMT

Hi,

for a customer i'm trying to authenticate anyconnect using an AD, but i can't get it work. On the Cisco ASA is see the following messages:

Mar 23 15:02:07 [SAML] consume_assertion: The identifier of a provider is unknown to #LassoServer. To register a provider in a #LassoServer object, you must use the methods lasso_server_add_provider() or lasso_server_add_provider_from_buffer().
Mar 23 15:02:07
[SAML] consume_assertion:

[saml] webvpn_login_primary_username: SAML assertion validation failed

What do does messages mean? Could it be that the wrong saml idp url is being used or is it something else?

On the ASA we are running 9.8(4)29

Re: Anyconnect authentication using ADFS SAML

Marvin Rhoads — Tue, 23 Mar 2021 17:21:50 GMT

If you made any changes to the SAML section after associating it with your tunnel-group (connection profile in ASDM), you have to remove and re-apply it. The #LassoServer errors are often a result of that issue.

Re: Anyconnect authentication using ADFS SAML

Pascal Lacroix — Wed, 24 Mar 2021 07:28:16 GMT

Hi Marvin,

i already did that by removing and adding the saml identity-provider url in the tunnel-group webvpn-attributes, but that didn't resolve the issue

tunnel-group AD-SAML webvpn-attributes
no saml identity-provider <url>

saml identity-provider <url>

Re: Anyconnect authentication using ADFS SAML

Marvin Rhoads — Thu, 25 Mar 2021 11:00:47 GMT

Is this setup authenticating via an Azure AD instance?

Re: Anyconnect authentication using ADFS SAML

Pascal Lacroix — Fri, 26 Mar 2021 07:25:54 GMT

we are using a local AD for authentication. In the future it will be an Azure AD

Re: Anyconnect authentication using ADFS SAML

Marvin Rhoads — Fri, 26 Mar 2021 08:26:05 GMT

Given that, I would suspect the wrong SAML iDP URL is being used.

Re: Anyconnect authentication using ADFS SAML

Pascal Lacroix — Mon, 29 Mar 2021 14:41:57 GMT

Customer is using a Microsoft ADFS with the following url:

saml idp https://xx.yy.zz/adfs/services/trust

Re: Anyconnect authentication using ADFS SAML

Marvin Rhoads — Tue, 30 Mar 2021 13:20:49 GMT

I've never set it up with on-premise but in Azure it works fine.

I did find this guide for integrating a different app (Atlassian) with on-premise AD FS SAML. You should be able to follow most of the steps in it to work with your ASA:

https://support.atlassian.com/security-and-access-policies/docs/configure-saml-single-sign-on-with-ad-fs/

Re: Anyconnect authentication using ADFS SAML

SPoodari — Wed, 30 Mar 2022 06:54:56 GMT

Hi Marvin,

i am having issue with integrating Azure MFA with ASA anyconnect.

This vpn1.company.com page can’t be found

No webpage was found for the web address: https://vpn1.company.com/+CSCOE+/SAML/SP/ACS?tgname=Azure-MFA

HTTP ERROR 404

got below from Debugs:

Mar 30 17:29:24 [SAML] get_lasso_signature_method:
Use SHA256 in SAML Request
Mar 30 17:29:24 [SAML] saml_add_config: SAML config added to list

ANy idea what i am missing?

Re: Anyconnect authentication using ADFS SAML

Marvin Rhoads — Wed, 30 Mar 2022 08:26:58 GMT

@SPoodari

It's hard to say without a live troubleshooting session. What procedure did you follow for the setup?

Re: Anyconnect authentication using ADFS SAML

SPoodari — Wed, 30 Mar 2022 15:13:16 GMT

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215935-configure-asa-anyconnect-vpn-with-micros.html
this one
and also the Microsoft one.

Re: Anyconnect authentication using ADFS SAML

SPoodari — Wed, 30 Mar 2022 15:33:16 GMT

ASA# show run webvpn
webvpn
enable airtel
http-headers
hsts-server
enable
max-age 31536000
include-sub-domains
no preload
hsts-client
enable
x-content-type-options
x-xss-protection
content-security-policy
anyconnect enable
saml idp https://sts.windows.net/xxxxxxxxxxxxxxxxxxxx-6b133e33c70e/
url sign-in https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxxx6b133e33c70e/saml2
url sign-out https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxx6b133e33c70e/saml2
base-url https://vpn.company.com
trustpoint idp AzureAD-AC-SAML
trustpoint sp ASDM_TrustPoint3
no signature
no force re-authentication
tunnel-group-list enable
cache
disable
error-recovery disable

ASA# show run tunnel-group
tunnel-group Azure-MFA type remote-access
tunnel-group Azure-MFA general-attributes
default-group-policy Azure-MFA-GP
tunnel-group Azure-MFA webvpn-attributes
authentication saml
group-alias Azure-MFA enable
saml identity-provider https://sts.windows.net/xxxxxxxxxxxxxxxxxxx-6b133e33c70e/

Re: Anyconnect authentication using ADFS SAML

SPoodari — Thu, 17 Apr 2025 16:13:51 GMT

I have attached the logs here.

Now my previous issue is cleared.

but now i'm getting Anyconnect "Authentication failed due to unexpected error". after succesful login with Microsoft.