Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
637
Views
0
Helpful
1
Replies

DUO SSO issues on Cisco ASA

carl_townshend
Spotlight
Spotlight

‎07-03-2023 05:59 AM

Hi All

I am having issues getting DUO sso to work on my Cisco ASA, the error we are getting is below, it says assertion failed with the below error.

Any ideas what this could be?

PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiIHhtbG5zOm1kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6bWV0YWRhdGEiIHhtbG5zOnhlbmM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jIyIgeG1sbnM6eGVuYzExPSJodHRwOi8vd3d3LnczLm9yZy8yMDA5L3htbGVuYzExIyIgVmVyc2lvbj0iMi4wIiBJRD0iRFVPXzgyOGYwN2FhYjU1MzY3OWIzZjU1NmJiMGE3YTJhOWU4MzBjMDljNjkiIElzc3VlSW5zdGFudD0iMjAyMy0wNi0yNlQwOToxMzoxMFoiIERlc3RpbmF0aW9uPSJodHRwczovL25wdi5qY2IuY29tLytDU0NPRSsvc2FtbC9zcC9hY3M/dGduYW1lPWpjYi1zc2wtdnBuLWR1by1zc28tdWsiIEluUmVzcG9uc2VUbz0iX0UwMDBBQTI1QjcxQzY5ODZGRjNCNzdDMDgyNkY2ODA5Ij48c2FtbDpJc3N1ZXI+aHR0cHM6Ly9zc28tZjI5ZWJmMTQuc3NvLmR1b3NlY3VyaXR5LmNvbS9zYW1sMi9zcC9ESU9DTTFOQlJBNFFSU09aMVVZNi9tZXRhZGF0YTwvc2FtbDpJc3N1ZXI+PGRzOlNpZ25hdHVyZT48ZHM6U2lnbmVkSW5mbz48ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGRzaWctbW9yZSNyc2Etc2hhMjU2Ii8+PGRzOlJlZmVyZW5jZSBVUkk9IiNEVU9fODI4ZjA3YWFiNTUzNjc5YjNmNTU2YmIwYTdhMmE5ZTgzMGMwOWM2OSI+PGRzOlRyYW5zZm9ybXM+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjc2hhMjU2Ii8+PGRzOkRpZ2VzdFZhbHVlPkVqa0tKR3FnemF5RGh4TGFvMmZPZ29oRmpZK3dLeU1ibHhtZlNqSHpzZTg9PC9kczpEaWdlc3RWYWx1ZT48L2RzOlJlZmVyZW5jZT48L2RzOlNpZ25lZEluZm8+PGRzOlNpZ25hdHVyZVZhbHVlPmhkY1dWb1d2Yk5nclNlQTZuREswdzBGOVBGbCtpM3ZqUk5rZjFnaEFhNi9vRVVHUGdrWVp1aXJUT1AzTFpDVkNvN2cyNGo5K05BQmYzNXFZdkVZaEFvc0JDcHEzMmxkU2I0RFBIUllaSFFVSVF1dlpmdXFYY21WMHd4Ni9xL3k1eUdqL0g0VFhYclh4b1ZBRCs0V2htMFptY1phdmJSQ25sdlFPR3dLSnJwa1J1MmxrZFRlNWp1STRsZndZU1JxK0N3ZmZyQWRqL0p4bDdRSjl4dkxYS0VjRWNoQ0ZIQU1IaXhHRVFSWTV4d2NnWUU1N0E5RnVSNGIvenhNUzFRUEJLUXNPcW03WHR3cHBqTWtOV3NBMGd4Q0phU3pHaDBocm1EV2dRMlF1WURJdXd3cUJRV3NyTDNsaTRuMXpVK0h5dCs3djdLbEZwN2J0ZVFKd1FoVUg0UT09PC9kczpTaWduYXR1cmVWYWx1ZT48ZHM6S2V5SW5mbz48ZHM6WDUwOURhdGE+PGRzOlg1MDlDZXJ0aWZpY2F0ZT5NSUlERFRDQ0FmV2dBd0lCQWdJVU1HSHMvWUI4a1JqV2owb2ZXN2hENi95WURIY3dEUVlKS29aSWh2Y05BUUVMQlFBd05qRVZNQk1HQTFVRUNnd01SSFZ2SUZObFkzVnlhWFI1TVIwd0d3WURWUVFEREJSRVNVOURUVEZPUWxKQk5GRlNVMDlhTVZWWk5qQWVGdzB5TXpBMk1UWXhNelUyTVRoYUZ3MHpPREF4TVRrd016RTBNRGRhTURZeEZUQVRCZ05WQkFvTURFUjFieUJUWldOMWNtbDBlVEVkTUJzR0ExVUVBd3dVUkVsUFEwMHhUa0pTUVRSUlVsTlBXakZWV1RZd2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUUQ0OEJ0MG5CVE10QTl5TFlIQkdsbExOdHFTZFRKRlBZQk1KNkMrbGU2QkxNWHpnUUxhc1loK2xxejJjZ2VTUkFGaU52ZzFnY3ZwMTBLTWJlSk95RGZGTlVuYTRUQ1pNOXg2cUUwOUZYZDFrbERUR0pkNVlNTWpybWsxWFlWNTRVVGM2Q01jUW9YQnN4ejgwZHJ1NUtDWlA3dHkyU1FWZU5qQ3ZxYnJjbzJMSk5EZnhlSHY3eis5V1l6aDJXZjVYc3FnelI4U2QvUlhiZVFZTGI2ajgxNSsrejhuMzgrUEpTbTZ5ZER6TDVDWXFOOTJuVFJwT0xwNGFldzIwMDdXajhOZ1VsdldCbXJRYVhKVGY0TStuYml3UCtBYkQwLzRWOHRWK3JiYVo3dk16ZFdKeExVY2RIN2RDSlJMdENheGI2eWJTbUpIcGpHditUMXI1bUNIcUk1ZkFnTUJBQUdqRXpBUk1BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFDNTNyKzhXR3AybSs1dmZQS1NzS2ZScW1rSk9lWlVkY1hzcE9GR3A5QmZNYjc5dExNSC9hRk83OHdQbFBvNGhNdHJCOEt6ck91ek9hK3JKNDlUS3crbzlqVkpwWkVpWW5TSDVrd25ZeFBiQzB6UDJjZTVYOXlRaUtJekFhU1ZhVGVHVnFXWFY1d3BnSXpBbFJkbkRUYkRGNkM3RXgzZ1RKMlJhVHp1czkwWXBYUWN3YTdLSHY5RGVOQytxbmhncVNsKzRQR2l3ZUhydHppd3BnbUJoMGFSc2JCZ0VhUkdqOWg4cnc1c3NFc1J2UXU5Qkt0SXhkUWVPbFFKUnEvYjFwU0UrYzJaOUp3TUI1VmNyVkZUcHBQSUlTK1lWU0lPd0lvYkpFczdRaFVJVkpVQVpHUElvUUNLZEtHYlBGSllpU0Q4Mmtsc29USjFQSGVGL0ErNlhsVEE9PC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L2RzOktleUluZm8+PC9kczpTaWduYXR1cmU+PHNhbWxwOlN0YXR1cz48c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8+PC9zYW1scDpTdGF0dXM+PHNhbWw6QXNzZXJ0aW9uIElEPSJEVU9fMjBjMDJjYzYwNGFhOWYJun 26 10:13:11 [SAML] consume_assertion: The identifier of a provider is unknown to #LassoServer. To register a provider in a #LassoServer object, you must use the methods lasso_server_add_provider() or lasso_server_add_provider_from_buffer().
Jun 26 10:13:11
[SAML] consume_assertion:

0 Helpful
1 Reply 1

Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-03-2023 09:41 AM

Usually it means the Identity provider (iDP - Duo in this case) certificate is not properly installed or bound to the SAML SSO definition in your webvpn section.

The Duo documentation for setting this up is quite thorough. Have you followed it exactly? Reference: https://duo.com/docs/sso-ciscoasa

Also note: if you make any changes to the SSO definition on ASAs you must remove and re-add it to the tunnel group to update the binding to in Lasso (the open source library used for the SAML SSO implementation on ASAs and FTDs).

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card