cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2258
Views
0
Helpful
12
Replies

Anyconnect authentication using ADFS SAML

Pascal Lacroix
Beginner
Beginner

Hi,

 

for a customer i'm trying to authenticate anyconnect using an AD, but i can't get it work. On the Cisco ASA is see the following messages:

 

Mar 23 15:02:07 [SAML] consume_assertion: The identifier of a provider is unknown to #LassoServer. To register a provider in a #LassoServer object, you must use the methods lasso_server_add_provider() or lasso_server_add_provider_from_buffer().
Mar 23 15:02:07
[SAML] consume_assertion:

[saml] webvpn_login_primary_username: SAML assertion validation failed

 

What do does messages mean? Could it be that the wrong saml idp url is being used or is it something else?

 

On the ASA we are running 9.8(4)29 

12 Replies 12

Marvin Rhoads
VIP Community Legend VIP Community Legend
VIP Community Legend

If you made any changes to the SAML section after associating it with your tunnel-group (connection profile in ASDM), you have to remove and re-apply it. The #LassoServer errors are often a result of that issue.

Pascal Lacroix
Beginner
Beginner

Hi Marvin,

i already did that by removing and adding the saml identity-provider url in the tunnel-group webvpn-attributes, but that didn't resolve the issue

 

tunnel-group AD-SAML webvpn-attributes
no saml identity-provider <url>

saml identity-provider <url>

Marvin Rhoads
VIP Community Legend VIP Community Legend
VIP Community Legend

Is this setup authenticating via an Azure AD instance?

we are using a local AD for authentication. In the future it will be an Azure AD

Given that, I would suspect the wrong SAML iDP URL is being used.