Click Enterprise Applications -> New Application -> Non-Gallery Application
Give it a Name (I'll use AnyConnect-SAML) and click Add at the bottom.
Click the Single sign-on menu Item.
Download the Certificate Base64 from section 3 (We'll install this later)
Make note of the following from Section 4:
Azure AD Identifier - This will be the saml idp in our VPN configuration.
Login URL - This will be the url sign-in
Logout URL - This will be the url sign-out
At this point you have the Data Required to begin configuring the VPN Appliance.
We will need to come back here after configuring the VPN Tunnel-Group and grabbing the metadata.
VPN Configuration - CLI
Alright, we're going to do this on the CLI first, I might come back through and do an ASDM walk-through at another time.
Connect to your VPN Appliance, we're going to be using an ASA running 9.8 code train, and our VPN clients will be 4.6+
Please note there are SAML 2.0 minimum requirements (I believe they are ASA 9.7+ and AC 4.5+ otherwise SAML 2.0 isn't supported or you need to use external browser config… this is outside the scope of this walk-through)
First we'll create a Trustpoint and import our SAML cert.
crypto ca trustpoint AzureAD-AC-SAML revocation-check none no id-usage enrollment terminal no ca-check crypto ca authenticate AzureAD-AC-SAML -----BEGIN CERTIFICATE----- … PEM Certificate Text from download goes here … -----END CERTIFICATE----- quit
The following commands will provision your SAML IdP
*Note: There's a feature with the SAML IdP configuration - If you make changes to the IdP config you need to remove the saml identity-provider config from your Tunnel Group and re-apply it for the changes to become effective.
Finishing up with the Azure AD App
We're now ready to grab the meta-data for our tunnel config and finish the Azure application configuration.
You can use a URL similar to below to view the SP metadata.
my.asa.com = the address at which my ASA is reachable
AC-SAML is the tunnel group name configured for SAML auth.
hi,i can't seem to install anyconnect 4.7 on a spare windows 7 machine.i already uninstall anyconnect 3.1 and restarted PC.after the EULA i got this message prompt. see attached photo.once i clicked OK a few times, i got a prompt that installation was com...
Hi Everyone, I just read that Google Gsuite expose also an LDAPS connection, I would like to know if anyone had a chance to test it and eventually if it allows to retrieve Google identity attributes (groups, etc) with Cisco ISE. I am considering...
Is it possible to quarantine mails based on the threat category? I can see in the message details an entry "Threat Category: Phishing" and in the SMA I can search for them in the Sender Domain Reputation report also in the message tracking , but how ...
I have searched Cisco and online for docs showing the syntex for natting multiple hosts via command line. I can do it via ASDM, but want to know how to do it via CLI so the running-config does not show "DM_inline" making the configs look more complicated....
When performing Wireless EAP-TLS using machine certs on ISE, if you are not requiring CRL check does the ISE server, WLAN Controller or wireless client need network communication to the Certificate Authority? The CA is an internal CA and not accessible fr...