topic Re: Anyconnect with SAML connection issue in Network Security

Anyconnect with SAML connection issue

StevenEdmunds6666 — Sun, 08 Jan 2023 13:10:32 GMT

Hi All,

I have configured Cisco AnyConnect to authenticate with SAML and O365.

When I connect, I am presented with the login page at which point I enter the password and then authenticate from my mobile phone. However, when it's 'authenticated' I get a message saying, 'You are Disconnected. You may now close this browser tab'.

I have also noticed that even though it's gone through, the VPN doesn't actually connect.

The only thing that I have noticed which looks odd to me is that the 'Login URL' and the 'Logout' URL appear to both be the same in the Azure side SAML page.

***Just found this message when authenticating: "Failed to consume SAML assertion. reason: The profile cannot verify a signature on the message." Have tried to re-enable SAML auth in tunnel-group but no luck.***

Thanks for reading and any questions, please let me know.

Steven

Re: Anyconnect with SAML connection issue

balaji.bandi — Sun, 08 Jan 2023 13:12:25 GMT

check and validate the config as per below document or post the config here :

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215935-configure-asa-anyconnect-vpn-with-micros.html

as suggest bottom of the page run debug to get what causing the issue.

Re: Anyconnect with SAML connection issue

StevenEdmunds6666 — Sun, 08 Jan 2023 13:27:34 GMT

Thank you for this; I have run the 4 debug commands from the bottom and produced the following results:

Steven

Re: Anyconnect with SAML connection issue

balaji.bandi — Sun, 08 Jan 2023 14:15:26 GMT

[saml] webvpn_login_primary_username: SAML assertion validation failed

check the below thread may help to fix

https://community.cisco.com/t5/vpn/anyconnect-authentication-using-microsoft-adfs-saml/td-p/3479195

Re: Anyconnect with SAML connection issue

StevenEdmunds6666 — Sun, 08 Jan 2023 16:46:34 GMT

Thanks BB, I think I'm getting closer to it but have a question regarding the SAML metadata XML.

Compared to the one provided in the article you provided, the only that I can see that's different is the section head 'SPSSODescriptor' returns as 'AuthnRequestsSigned="false"' whereas their returns as 'true'.

I have included if you wish to see...

On top of that, as I go further into the article, it suggests that I need to configure a SAML 2.0 IDP but I'm not sure where in the process this should be going when following the article in your first response.

Just as a sidenote, do I need a vaild SSO cert or can I get away with using the router signed? Currently testing without one.

Steven

Re: Anyconnect with SAML connection issue

balaji.bandi — Sun, 08 Jan 2023 19:58:58 GMT

Follow below video

https://www.youtube.com/watch?v=bSGjeJotO2s

Still having issues, post the config from ASA, and new debug logs.

Re: Anyconnect with SAML connection issue

StevenEdmunds6666 — Mon, 09 Jan 2023 00:44:32 GMT

Thanks for the link BB.

I followed it and still seem to be hitting the same road block. I have attached the config and the debugs.
I did see that it could be related to the following but not 100% sure: CSCvi23605 : Bug Search Tool (cisco.com)

Steven

Re: Anyconnect with SAML connection issue

Marvin Rhoads — Mon, 09 Jan 2023 03:33:43 GMT

You need a valid CA-signed certificate on the VPN headend. Also, your headend needs to trust the certificate being presented by the SAML iDP.

Re: Anyconnect with SAML connection issue

StevenEdmunds6666 — Mon, 09 Jan 2023 09:38:11 GMT

Hi Marvin,

Apologies for the lack of understanding. When you say a valid 'CA-signed Certificate', are you referring to an SSL certificate for the domain like 'vpn.domain.com'? Is this what I'm after: Configure ASA: SSL Digital Certificate Installation and Renewal - Cisco

Thanks.

Steven

Re: Anyconnect with SAML connection issue

Marvin Rhoads — Mon, 09 Jan 2023 13:04:55 GMT

@StevenEdmunds6666 stepping back a bit, when an ASA requests authentication be handled by a SAML identity provider (iDP) it contacts the iDP server via SSL/TLS. in doing so, it needs to trust the iDP's certificate. That's one part of the puzzle.

After the SAML iDP interacts with the user to authenticate them, it contacts the ASA to tell it the authentication is complete (or failed, as the case may be). In that piece, the ASA (acting as the "Service Provider" in SAML terms) is the server whose certificate must be trusted by the iDP. So the ASA (or FTD or router - whatever is acting as the VPN headend) needs to have a proper certificate signed by a well-known public Certificate Authority (CA) so that the communication from the iDP to the ASA is likewise trusted and secured.

The document you linked is indeed one that provides instructions on how to acquire and install a certificate on your ASA.

Re: Anyconnect with SAML connection issue

StevenEdmunds6666 — Tue, 10 Jan 2023 09:13:48 GMT

Hi Marvin,

I tried to install the certificate via the GUI using the documentation under the heading 'CA Certificates' and giving the Trustpoint name. However, I get the attached error.

I was however, still able to install it against the identity I had used to generate the CSR and against the outside interface under the SSL settings.

Can I continue even with the problem I ran into or by not addressing it, will I make it harder for myself?
I have also included the running config so you can see it.

Thanks,

Steven

Re: Anyconnect with SAML connection issue

StevenEdmunds6666 — Tue, 10 Jan 2023 10:10:35 GMT

I have also realised that I may also have an issue with my certificate or config. Even though the cert is applied on the ASA, when I try to connect using AnyConnect, I get the message that 'Certificate does not match the server name'

This can be ignored - was because I wasn't connecting via the correct name on the AnyConnect client.

Re: Anyconnect with SAML connection issue

Marvin Rhoads — Tue, 10 Jan 2023 12:45:14 GMT

I read lately that Digicert's issuing template can cause that error you saw. It looks like your portal is OK.

Is SAML still not working for you? I don't see the SAML config stanzas in the running-config that you shared.

Re: Anyconnect with SAML connection issue

StevenEdmunds6666 — Tue, 10 Jan 2023 14:20:52 GMT

@Marvin Rhoads that config was pre-MFA when I was having an issue installing the CA cert.

I am indeed still running into the same issue. I have attached the latest config with the debugs.
I have tried everything from recreating the SAML cert on the 365 end and even resetting the config back to an earlier point in time and going through the whole config again.

These are the errors I'm seeing from the debug webvpn saml 255:
[Lasso] func=xmlSecKeyDuplicate:file=keys.c:line=670:obj=unknown
Jan 10 11:20:51 [SAML] consume_assertion: The profile cannot verify a signature on the message
[saml] webvpn_login_primary_username: SAML assertion validation failed

Re: Anyconnect with SAML connection issue

Marvin Rhoads — Tue, 10 Jan 2023 15:19:42 GMT

In my experience, the error "consume_assertion: The profile cannot verify a signature on the message" is almost always due to not having the iDP's certificate installed on the ASA as a trusted CA. I'd double check that and let us know.

Re: Anyconnect with SAML connection issue

StevenEdmunds6666 — Wed, 11 Jan 2023 22:17:02 GMT

Hi Marvin,

Thanks for your assistance on this one. Tuned out to be a combination of a few things but these are the steps used to resolve the issue.

I made a mistake in the CA certificate when reissuing which meant it wasn't looking at 'vpn.companydomain.com'
I ended up removing the crypto ca trustpoint AzureAD-AC-SAML and adding the certificate back in from Microsoft again
I also had to re-run the command that sets the IDP and SP to MS and local Trustpoint after removing and having to reapply the certificate

Re: Anyconnect with SAML connection issue

engineer467 — Mon, 11 Nov 2024 07:53:09 GMT

Hello Marvin,

I am getting a similar error in the debug saml, [SAML] consume_assertion: assertion is expired or not valid.

I doublechecked the Assertion Consumer Service URL and SP Entity ID, all seems okay.

Any insights? Thanks a lot.

Re: Anyconnect with SAML connection issue

Marvin Rhoads — Mon, 11 Nov 2024 12:07:38 GMT

@engineer467

Assuming the SAML IDP is using a currently valid certificate (easy enough to check), I would then check the time and date in your firewall.

Re: Anyconnect with SAML connection issue

engineer467 — Mon, 11 Nov 2024 12:55:15 GMT

Hello Marvin,

Thanks for responding. I checked all of them and they looked fine. Then I
came across this cisco bug id (
https://quickview.cloudapps.cisco.com/quickview/bug/CSCvi23605). So
deleting the SAML config and reconfiguring worked for me. 🙂
Appreciate your quick response.

Re: Anyconnect with SAML connection issue

Marvin Rhoads — Mon, 11 Nov 2024 13:26:16 GMT

Ah yes, that bug is a pitfall. Newer versions of ASA and ASDM even warn you of if when changing your SAM configuration.