Cisco ASA/Azure Active Directory/SAML - Limitations/Issues

stevensharamatew · ‎09-08-2021

Working with our VPN team to integrate Cisco ASA with Azure Active Directory/MFA. There is a Azure AD gallery app. That has been installed and enabled for SSO. However, we are experiencing SAML Authentication Request failures. Our VPN team believes this is because we are utilizing VPN/DNS load balancing and SAML authentication is unsupported.
Is this a true limitation?

Thanks

Milos_Jovanovic · ‎09-08-2021

Hi @stevensharamatew,

It really depends on how you implemented this setup, so please share more details.

If it is plain round-robin DNS, then most likely it is - you could be sending queries from one device, while AAD could resolve it to another one. If you created it via VPN load-balancing, then it will not cause issues, as I already implemented this solution and it works great. You will have to create multiple applications on AAD side, as each VPN GW will have its on FQDN.

BR,

Milos

Marvin Rhoads · ‎09-08-2021

With VPN load balancing, the members share a common FQDN. I am pretty sure that's not currently supported when using SAML authentication.

Milos_Jovanovic · ‎09-08-2021

@Marvin Rhoads

Members are sharing common FQDN, but at the same time they must have their own unique FQDNs (which are then used for SAML). I never check if it is officially supported, but I can tell you that it works. I implemented it and we are using it heavilly with one of my customers.

BR,

Milos

stevensharamatew · ‎09-08-2021

Thank you for the responses. Will dig deeper and work with our VPN team. Will provide update.