The error message "[SAML] consume_assertion: [saml] webvpn_login_primary_username: SAML assertion validation failed" points to a failure in SAML assertion validation during the authentication process. This can be caused by various factors, including issues with SAML configuration, certificate problems, or the authentication process itself.
Following are some possible reasons for this error:
1. Incorrect Login URL and Logout URL: You mentioned that both the 'Login URL' and 'Logout' URL appear to be the same in the Azure SAML page. This could suggest a misconfiguration in the SAML settings. Ensure that the Login URL and Logout URL are correct and correspond to the appropriate endpoints in your SAML Identity Provider (IdP).
2. Invalid or mismatched certificate: If the certificate applied on the ASA is invalid or doesn't match the server name you are connecting to, this could also lead to assertion validation failure. Make sure you have a valid CA-signed certificate, and the VPN headend trusts the certificate presented by the SAML IdP.
3. Configuration issues: Ensure your AnyConnect and SAML setup meets the configuration requirements. You can refer to the Cisco documentation for configuring AnyConnect VPN with Microsoft SAML authentication [here](
https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215935-configure-asa-anyconnect-vpn-with-micros.html) to validate your configuration. Also, running debugging commands on the ASA could provide more details on the issue.
In summary, to troubleshoot this error on the ASA:
- Check and correct your Login URL and Logout URL settings.
- Make sure you have a valid, matching CA-signed certificate on the ASA, and that the VPN headend trusts the SAML IdP's certificate.
- Validate your configuration against Cisco's documentation, and consider running debugging commands for more insights.
If the issue persists, gathering additional information like debug logs or consulting Cisco Support might be helpful.
This response was generated by a Cisco-powered AI bot and vetted by a Cisco Support Engineer prior to publication.
This is part of a monitored experiment to see if the bot can help answer questions alongside community members. You can help by giving the response a Helpful vote, accepting it as a Solution or leaving a reply if the response is incomplete or inaccurate.