Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
376
Views
0
Helpful
2
Replies

ASA SAML multiple profiles not working

Go to solution
the-lebowski
Level 4
Level 4

‎11-05-2025 11:16 AM - edited ‎11-05-2025 11:19 AM

I have a working SAML configuration via OKTA tied to a tunnel-group called tunnel-01.  It has its own entity ID and certificate which works fine.  We have a request for an additional SAML connection profile using OKTA which we have no luck getting working.  It has its own connection profile (tunnel-02),its own entity ID and cert and using a slightly different FQDN with the same domain.  

 Can I not use different domains?  That is the only thing I can find that is different between the two.  I have tried un-assigning and re-assigning the SAML to the profile, recreating the SAML profile all to no avail.

WORKING:

 saml idp http://www.okta.com/...........Q0h8
  url sign-in https://vpn-01.okta.com/app/cisco_asa_vpn_saml/.........Q0h8/sso/saml
  url sign-out https://vpn-01.okta.com
  base-url https://vpn-01.somedomain.com
  trustpoint idp okta-saml-01
  trustpoint sp 2026
  no signature
  force re-authentication

[SAML] saml_auth: processing assertion for tg: tunnel-01 with idp_tp: okta-saml-01
[SAML] consume_assertion:
http://www.okta.com/.............Q0h8 user@somedomain.com
[saml] webvpn_login_primary_username: SAML assertion validation succeeded
saml_ac_token_list_add_entry: Pre_auth token: 277222554

NOT WORKING:

 saml idp http://www.okta.com/.............3w0h8
  url sign-in https://vpn-02.okta.com/app/cisco_asa_vpn_saml/.........w0h8/sso/saml
  url sign-out https://vpn-02.okta.com
  base-url https://vpn-02.somedomain.com
  trustpoint idp okta-saml-02
  trustpoint sp 2026
  no signature
  force re-authentication
 tunnel-group-list enable
 cache
  disable
 error-recovery disable

[SAML] consume_assertion: (-201) The identifier of a provider is unknown to #LassoServer. To register a provider in a #LassoServer object, you must use the methods lasso_server_add_provider() or lasso_server_add_provider_from_buffer(). 
[SAML] saml_auth: Failed to validate using idp_tp: okta-saml-02 
[saml] webvpn_login_primary_username: SAML assertion validation failed saml_get_ac_token_data: Passed SAML token is NULL

 

 

 

 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
the-lebowski
Level 4
Level 4
In response to the-lebowski

‎11-05-2025 12:42 PM

Blowing away the trustpoint and re-creating it (via cli) seems to have fixed the issue.  Why or how I don't know but its working as it should. 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
the-lebowski
Level 4
Level 4

‎11-05-2025 11:24 AM

Also getting this error message via ASDM when attempting to auth via vpn-02.

Failed to consume SAML assertion. reason: The profile cannot verify a signature on the message.

 

0 Helpful

Go to solution
the-lebowski
Level 4
Level 4
In response to the-lebowski

‎11-05-2025 12:42 PM

Blowing away the trustpoint and re-creating it (via cli) seems to have fixed the issue.  Why or how I don't know but its working as it should. 

0 Helpful
Customers Also Viewed These Support Documents