https://community.cisco.com/t5/network-security/cisco-asa-azure-active-directory-saml-limitations-issues/m-p/4461873#M1083447 <P>Hi <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1244396">@stevensharamatew</a>,</P><P>It really depends on how you implemented this setup, so please share more details.</P><P>If it is plain round-robin DNS, then most likely it is - you could be sending queries from one device, while AAD could resolve it to another one. If you created it via <A href="https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/vpn/asa-98-vpn-config/vpn-ha.html#id_61718" target="_self">VPN load-balancing</A>, then it will not cause issues, as I already implemented this solution and it works great. You will have to create multiple applications on AAD side, as each VPN GW will have its on FQDN.</P><P>BR,</P><P>Milos</P> Wed, 08 Sep 2021 17:35:18 GMT Milos_Jovanovic 2021-09-08T17:35:18Z https://community.cisco.com/t5/network-security/cisco-asa-azure-active-directory-saml-limitations-issues/m-p/4461854#M1083446 <P>Working with our VPN team to integrate Cisco ASA with Azure Active Directory/MFA.&nbsp; There is a Azure AD gallery app.&nbsp; That has been installed and enabled for SSO.&nbsp; However, we are experiencing SAML Authentication Request failures.&nbsp; Our VPN team believes this is because we are utilizing VPN/DNS load balancing and SAML authentication is unsupported.<BR />Is this a true limitation?&nbsp;</P><P>&nbsp;</P><P>Thanks</P><P>&nbsp;</P> Wed, 08 Sep 2021 17:05:45 GMT https://community.cisco.com/t5/network-security/cisco-asa-azure-active-directory-saml-limitations-issues/m-p/4461854#M1083446 stevensharamatew 2021-09-08T17:05:45Z https://community.cisco.com/t5/network-security/cisco-asa-azure-active-directory-saml-limitations-issues/m-p/4461873#M1083447 <P>Hi <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1244396">@stevensharamatew</a>,</P><P>It really depends on how you implemented this setup, so please share more details.</P><P>If it is plain round-robin DNS, then most likely it is - you could be sending queries from one device, while AAD could resolve it to another one. If you created it via <A href="https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/vpn/asa-98-vpn-config/vpn-ha.html#id_61718" target="_self">VPN load-balancing</A>, then it will not cause issues, as I already implemented this solution and it works great. You will have to create multiple applications on AAD side, as each VPN GW will have its on FQDN.</P><P>BR,</P><P>Milos</P> Wed, 08 Sep 2021 17:35:18 GMT https://community.cisco.com/t5/network-security/cisco-asa-azure-active-directory-saml-limitations-issues/m-p/4461873#M1083447 Milos_Jovanovic 2021-09-08T17:35:18Z https://community.cisco.com/t5/network-security/cisco-asa-azure-active-directory-saml-limitations-issues/m-p/4461893#M1083452 <P>With VPN load balancing, the members share a common FQDN. I am pretty sure that's not currently supported when using SAML authentication.</P> Wed, 08 Sep 2021 17:58:00 GMT https://community.cisco.com/t5/network-security/cisco-asa-azure-active-directory-saml-limitations-issues/m-p/4461893#M1083452 Marvin Rhoads 2021-09-08T17:58:00Z https://community.cisco.com/t5/network-security/cisco-asa-azure-active-directory-saml-limitations-issues/m-p/4461901#M1083455 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/326046">@Marvin Rhoads</a>&nbsp;</P><P>Members are sharing common FQDN, but at the same time they must have their own unique FQDNs (which are then used for SAML). I never check if it is officially supported, but I can tell you that it works. I implemented it and we are using it heavilly with one of my customers.</P><P>BR,</P><P>Milos</P> Wed, 08 Sep 2021 18:09:23 GMT https://community.cisco.com/t5/network-security/cisco-asa-azure-active-directory-saml-limitations-issues/m-p/4461901#M1083455 Milos_Jovanovic 2021-09-08T18:09:23Z https://community.cisco.com/t5/network-security/cisco-asa-azure-active-directory-saml-limitations-issues/m-p/4461905#M1083457 <P>Thank you for the responses.&nbsp; Will dig deeper and work with our VPN team.&nbsp; Will provide update.</P><P>&nbsp;</P> Wed, 08 Sep 2021 18:15:23 GMT https://community.cisco.com/t5/network-security/cisco-asa-azure-active-directory-saml-limitations-issues/m-p/4461905#M1083457 stevensharamatew 2021-09-08T18:15:23Z