I've been symied for weeks on this "Authentication failed due to problem retrieving the single sign-on cookie". TAC helped me track it down to a certificate mismatch. My AWS engineer generated a new cert and this time the output looks closer to my working ASA for the CN. Running debug during the login attempt I see errors: "Consume assertion: Failed to verify signature". And "SAML assertion validation failed". What exactly is attempting to match with what?
I've been using the article from DUO which is the clearest on the problem and I think I've done all these steps. But the last one is "Verify that you have deployed the correct certificate for your split-tunnel group." How exactly to do verify the *correct* certificate?
https://help.duo.com/s/article/5132?language=en_US
