- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-08-2023 04:12 AM - edited 01-08-2023 05:10 AM
Hi All,
I have configured Cisco AnyConnect to authenticate with SAML and O365.
When I connect, I am presented with the login page at which point I enter the password and then authenticate from my mobile phone. However, when it's 'authenticated' I get a message saying, 'You are Disconnected. You may now close this browser tab'.
I have also noticed that even though it's gone through, the VPN doesn't actually connect.
The only thing that I have noticed which looks odd to me is that the 'Login URL' and the 'Logout' URL appear to both be the same in the Azure side SAML page.
***Just found this message when authenticating: "Failed to consume SAML assertion. reason: The profile cannot verify a signature on the message." Have tried to re-enable SAML auth in tunnel-group but no luck.***
Thanks for reading and any questions, please let me know.
Steven
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-10-2023 01:50 AM - edited 01-10-2023 02:10 AM
I have also realised that I may also have an issue with my certificate or config. Even though the cert is applied on the ASA, when I try to connect using AnyConnect, I get the message that 'Certificate does not match the server name'
This can be ignored - was because I wasn't connecting via the correct name on the AnyConnect client.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-10-2024 11:53 PM
Hello Marvin,
I am getting a similar error in the debug saml, [SAML] consume_assertion: assertion is expired or not valid.
I doublechecked the Assertion Consumer Service URL and SP Entity ID, all seems okay.
Any insights? Thanks a lot.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-11-2024 04:07 AM
Assuming the SAML IDP is using a currently valid certificate (easy enough to check), I would then check the time and date in your firewall.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-11-2024 04:55 AM
Thanks for responding. I checked all of them and they looked fine. Then I
came across this cisco bug id (
https://quickview.cloudapps.cisco.com/quickview/bug/CSCvi23605). So
deleting the SAML config and reconfiguring worked for me.
Appreciate your quick response.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-11-2024 05:26 AM
Ah yes, that bug is a pitfall. Newer versions of ASA and ASDM even warn you of if when changing your SAM configuration.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-11-2024 05:32 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-11-2024 05:45 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-11-2024 05:55 AM
It was explained to me an an issue with the open source Lasso software library that Cisco uses. Like so many open source projects, if it's not actively maintained there are limitations to what can be done. (Of course, Cisco could fork it like they do with openSSH but I guess it's not considered a big enough problem for that.)

- « Previous
-
- 1
- 2
- Next »