topic Re: ASA AnyConnect VPN with Microsoft Azure MFA through SAML in Network Security

ASA AnyConnect VPN with Microsoft Azure MFA through SAML

Manish Manwal — Mon, 07 Mar 2022 16:43:35 GMT

we configure ASA AnyConnect VPN with Microsoft Azure MFA through SAML. when we connect VPN its given an error "Authentication failed due to problem retrieving the single sign-on cookie". we have done below troubleshooting.

Restart the ASA.
Log in to the ASA via CLI and verify time by issuing the command Show Clock.
- If the time is not correct, verify your NTP time sync configuration.
Set the SAML Identity provider to none, and then set it back to your configured SAML IdP.
Remove the SAML configuration from the tunnel group on the ASA, save the configuration temporarily without the SAML configuration.
Re-enable SAML Auth in tunnel group via the following commands in the CLI using your Entity ID:
- ciscoasa(config-tunnel-webvpn)# no saml identity-provider https://
- ciscoasa(config-tunnel-webvpn)# saml identity-provider https://
- debug the Webvpn and its showing "

webvpn_login_primary_username: SAML assertion validation failed
[SAML] consume_assertion: The profile cannot verify a signature on the message"

Re: ASA AnyConnect VPN with Microsoft Azure MFA through SAML

Rob Ingram — Mon, 07 Mar 2022 16:49:15 GMT

@Manish Manwal judging by the error "cannot verify a signature on the message" - I wonder if the certificate used is not trusted and you've not imported?

Re: ASA AnyConnect VPN with Microsoft Azure MFA through SAML

Manish Manwal — Mon, 07 Mar 2022 17:00:49 GMT

hi Rob,

identity provider and service provider both certificate has imported in firewall and both are valid til November

i can also see below error in debug. can you help here ?

func=xmlSecOpenSSLEvpSignatureVerify:file=signatures.c:line=493:obj=rsa-sha256:subj=EVP_VerifyFinal:error=18:data do not match:signature do not match
.

Re: ASA AnyConnect VPN with Microsoft Azure MFA through SAML

Marvin Rhoads — Tue, 08 Mar 2022 04:42:20 GMT

It's usually due to the Azure certificate having changed. Microsoft updates the certificate when you finalize the app setup in Azure. Double check that the certificate you imported on the ASA is the same one currently presented by Azure.

Re: ASA AnyConnect VPN with Microsoft Azure MFA through SAML

Manish Manwal — Tue, 08 Mar 2022 10:32:12 GMT

Hi Marvin,

certificate is same, i also download latest certificate and imported to ASA. but same issue.

Re: ASA AnyConnect VPN with Microsoft Azure MFA through SAML

Manish Manwal — Tue, 08 Mar 2022 10:49:35 GMT

after import certificate and disable and re enable SAML identity provider, we not receive above error, now we getting "login Denied" error.

can you help here. below is the debug logs

saml_ac_token_remove: SAML ac token being looked 73289FA84675DBCB096DB69
saml token ID 73289FA84675DBCB096DB69 removed from table
[SAML] saml_is_idp_internal: getting SAML config for tg SSL-VPN
#0x00007fb121de6290 (GET). Request line:/+webvpn+/webvpn_logout.html
#0x00007fb121de6290 Hand-off to emWeb.

Re: ASA AnyConnect VPN with Microsoft Azure MFA through SAML

Marvin Rhoads — Tue, 08 Mar 2022 12:29:51 GMT

"Login denied" is typically something on the iDP side. You should be able to check the logs there for more details.

I have seen some people successfully use Fiddler app to debug the https communications between the client and iDP during a SAML authentication process.

https://docs.telerik.com/fiddler/configure-fiddler/tasks/decrypthttps

Re: ASA AnyConnect VPN with Microsoft Azure MFA through SAML

Manish Manwal — Wed, 09 Mar 2022 10:41:17 GMT

i cant find any error in fiddler regarding vpn error.

one more error we are getiing in debuging : Dynamic access policy terminated the connection.

but no policy created yet for remote vpn

Re: ASA AnyConnect VPN with Microsoft Azure MFA through SAML

Serpent2010 — Fri, 07 Oct 2022 00:36:12 GMT

I have the SAML authentication taking extreme delay to load the username page, password entry, then verification.

All that takes 7 minutes but at the end is connected with no slowness or asp drops.

Any idea?

Re: ASA AnyConnect VPN with Microsoft Azure MFA through SAML

Eagen OBrien — Sat, 24 Jun 2023 19:16:48 GMT

I am having same issue. Anyconnect authentication failed due to problem retrieving the single sign-on cookie. Configuration is correct, Certs are correct, re-apply config,etc.. One of my ASA is working but the other is having the issue. I get this from debug.

Jun 24 12:37:14 [SAML] consume_assertion: When looking for an assertion we did not found it.
Jun 24 12:37:14
[SAML] consume_assertion:

[saml] webvpn_login_primary_username: SAML assertion validation failed

any help would be appreciated.

Re: ASA AnyConnect VPN with Microsoft Azure MFA through SAML

Serpent2010 — Sat, 24 Jun 2023 21:15:37 GMT

Do traffic capture and see the traffic flow behavior.
The root cause for my case was that the firewall blocked a Microsoft website that was used for the authentication process for SAML.
The website was blocked because the website was not listed in MS documentation of SAML’s firewall requirements.
So, I did multiple captures for many users when I noticed all of them trying to reach that website. I opened the ports for that website and immediately fixed it.

Re: ASA AnyConnect VPN with Microsoft Azure MFA through SAML

Eagen OBrien — Sun, 25 Jun 2023 00:56:29 GMT

Verified, and just to make sure I set allow any any to make sure I am not blocking anything and still same issue.

Re: ASA AnyConnect VPN with Microsoft Azure MFA through SAML

Manish Manwal — Tue, 15 Aug 2023 11:54:33 GMT

check if there is any DAP configured in ASA

Re: ASA AnyConnect VPN with Microsoft Azure MFA through SAML

Manish Manwal — Tue, 15 Aug 2023 11:55:30 GMT

i resolved this issue by removing Dynamic access policy from ASA.