SAML SSO authentication

Eagen OBrien — Sat, 24 Jun 2023 19:23:19 GMT

I have already configured one of my ASA with Azure SAML SSO authentication. My second ASA is having the following error: authentication failed due to problem retrieving the single sign-on cookie when connecting to AnyConnect.

I have verified certs, configuration, reaplied config, NTP but still won't work. When comparing debug from both working and non working ASA's this is the only difference I see.

Jun 24 12:37:14 [SAML] consume_assertion: When looking for an assertion we did not found it.
Jun 24 12:37:14
[SAML] consume_assertion:

[saml] webvpn_login_primary_username: SAML assertion validation failed

Any help would be appreciated, Thanks.

The error message "[SAML] consume_assertion: [saml] webvp...

Cisco_Virtual_Engineer — Wed, 12 Jul 2023 14:20:03 GMT

The error message "[SAML] consume_assertion: [saml] webvpn_login_primary_username: SAML assertion validation failed" points to a failure in SAML assertion validation during the authentication process. This can be caused by various factors, including issues with SAML configuration, certificate problems, or the authentication process itself.

Following are some possible reasons for this error:

1. Incorrect Login URL and Logout URL: You mentioned that both the 'Login URL' and 'Logout' URL appear to be the same in the Azure SAML page. This could suggest a misconfiguration in the SAML settings. Ensure that the Login URL and Logout URL are correct and correspond to the appropriate endpoints in your SAML Identity Provider (IdP).

2. Invalid or mismatched certificate: If the certificate applied on the ASA is invalid or doesn't match the server name you are connecting to, this could also lead to assertion validation failure. Make sure you have a valid CA-signed certificate, and the VPN headend trusts the certificate presented by the SAML IdP.

3. Configuration issues: Ensure your AnyConnect and SAML setup meets the configuration requirements. You can refer to the Cisco documentation for configuring AnyConnect VPN with Microsoft SAML authentication [here](https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215935-configure-asa-anyconnect-vpn-with-micros.html) to validate your configuration. Also, running debugging commands on the ASA could provide more details on the issue.

In summary, to troubleshoot this error on the ASA:

- Check and correct your Login URL and Logout URL settings.
- Make sure you have a valid, matching CA-signed certificate on the ASA, and that the VPN headend trusts the SAML IdP's certificate.
- Validate your configuration against Cisco's documentation, and consider running debugging commands for more insights.

If the issue persists, gathering additional information like debug logs or consulting Cisco Support might be helpful.

Re: SAML SSO authentication

Marvin Rhoads — Wed, 12 Jul 2023 17:36:34 GMT

Is it a totally separate ASA or second ASA in an HA pair?

An Azure SAML enterprise app is unique per "Service provider" (= ASA VPN FQDN)

topic The error message "[SAML] consume_assertion: [saml] webvp... in Network Security

SAML SSO authentication

The error message "[SAML] consume_assertion: [saml] webvp...

Re: SAML SSO authentication