hi Rob,

identity provider and service provider both certificate has imported in firewall and both are valid til November

i can also see below error in debug. can you help here ?

func=xmlSecOpenSSLEvpSignatureVerify:file=signatures.c:line=493:obj=rsa-sha256:subj=EVP_VerifyFinal:error=18:data do not match:signature do not match
.

It's usually due to the Azure certificate having changed. Microsoft updates the certificate when you finalize the app setup in Azure. Double check that the certificate you imported on the ASA is the same one currently presented by Azure.

Hi Marvin,

certificate is same, i also download latest certificate and imported to ASA. but same issue.

after import certificate and disable and re enable SAML identity provider, we not receive above error, now we getting "login Denied" error.

can you help here. below is the debug logs

saml_ac_token_remove: SAML ac token being looked 73289FA84675DBCB096DB69
saml token ID 73289FA84675DBCB096DB69 removed from table
[SAML] saml_is_idp_internal: getting SAML config for tg SSL-VPN
#0x00007fb121de6290 (GET). Request line:/+webvpn+/webvpn_logout.html
#0x00007fb121de6290 Hand-off to emWeb.

i cant find any error in fiddler regarding vpn error.

one more error we are getiing in debuging : Dynamic access policy terminated the connection.

but no policy created yet for remote vpn

Do traffic capture and see the traffic flow behavior.
The root cause for my case was that the firewall blocked a Microsoft website that was used for the authentication process for SAML.
The website was blocked because the website was not listed in MS documentation of SAML’s firewall requirements.
So, I did multiple captures for many users when I noticed all of them trying to reach that website. I opened the ports for that website and immediately fixed it.

Verified, and just to make sure I set allow any any to make sure I am not blocking anything and still same issue.

check if there is any DAP configured in ASA