Showing results for 
Search instead for 
Did you mean: 

Configure Anyconnect with SAML authentication on FTD managed via FDM



This document provides a configuration example of Security Assertion Markup Language (SAML) Authentication on FTD managed over FDM. The configuration allows Anyconnect users to establish a VPN session authenticating with a SAML Identity Service Provider.



Cisco recommends that you have knowledge of these topics:

  • Knowledge of Anyconnect configuration on FDM
  • Knowledge of SAML and metatada.xml values


Components Used

The information in this document is based on these software and hardware versions:

  • Firepower Threat Defense managed over FDM using version 7.0.
  • ADFS from AD Server with SAML 2.0


Note: I am using an ADFS IdP server where a custom IdP's certificate was created, this includes the "Basic Constraints CA flag set".

Also, if possible, use an NTP server to synchronize the time between the FTD and IdP. Otherwise, make sure the time is manually synchronized between them.


The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.


Background Information

Due to CSCvu95526, the only SAML server fully supported is DUO, see below:

SAML Servers
Following are the supported SAML servers: Duo.

In this lab, I am using ADFS as SAML server; however, I created a custom IdP's signing certificate which does contain the CA flag under Basic Constraints. Which basically eliminates the limitation defined under bug: CSCvu95526.

You can check if the IdP's signing certificate contains this flag using the following SSL command:
openssl x509 -in vpnx.local/id.crt -noout -text



This section describes how to configure Anyconnect with SAML authentication on FTD managed via FDM.


Get the SAML IdP parameters

The below image shows a SAML IdP metadata.xml file. From the output, you can get all values needed in order to configure the Anyconnect profile using SAML:


saml metadata.PNG
Configuration on the FTD via FDM


Step 1. Import the IdP's certificate. Under Objects -> Certificates -> Add Trusted CA Certificate.


1 - import idp cert.PNG


Step 2. The name you define will be used later on when calling the IdP's certificate.


2 - TP name.PNG


Step 3. Create the SAML server. Under Objects -> Identity Sources -> SAML Server.


3 - create saml server.PNG


Step 4. Based on the metadata.xml file already provided by your IdP, configure the SAML values.
Name: SAML Server's name.
Identity Provider (IDP) Entity ID URL: entityID from metadata.xml
Sign in URL: SingleSignOnService from metadata.xml.
Sign out URL: SingleSignLogoutService from metadata.xml.
FTD Service Provider Certificate: FTD signing certificate.
Identity Provider Certificate: IdP signing certificate.


4 - config de SAML parameters.PNG



Step 5. Create a Connection profile that uses SAML as authentication method. Under Device -> Remote Access VPN.


5 - Devices - RA.PNG



Step 6. Click on Create Connection Profile.
6 - create conn profile.PNG



Step 7. Define the Connection Profile's name, the authentication method under Primary Identity Source and select the SAML Server we created under step #3. Also, the ip local pool or DHCP if you want to assign
IP's to the RA users via DHCP.
7 - conn profile settings.PNG


Step 8. Select the group-policy for this Connection profile. You can create a dedicated GP for this 
connection profile or use the default instead.


8 - select the GP.PNG



Step 9. Define what SSL Certificate to use for this RA, the FQDN for the RA's FTD, the Anyconnect .pkg 
file we will use. Optionally you can set the NAT Exemption and the sysopt permit-vpn.
Very important: What you define under "Fully-qualified Domain Name for the Outside Interface" will be set as base URL for the SAML config. Make sure the proper FTD's RA FQDN is set there.



Step 10. Deploy the changes.


10 - Deploy.PNG


Step 11. Now, provide the FTD's metadata.xml file to the IdP so they add the FTD as a trusted device. 
On the FTD CLI, run the command:"show saml metadata SAML_TG "where SAML_TG is the name of our
Connection Profile created on Step 7



As seen in the below bracket, this is the expected output from the command mentioned above:

> system support diagnostic-cli
Attaching to Diagnostic CLI ... Press 'Ctrl+a then d' to detach.
Type help or '?' for a list of available commands.

FDM> en
FDM# show saml metadata SAML_TG
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<EntityDescriptor entityID="https://fdm.vpnx.local/saml/sp/metadata/SAML_TG" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="">
<AssertionConsumerService index="0" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://fdm.vpnx.local/+CSCOE+/saml/sp/acs?tgname
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://fdm.vpnx.local/+CSCOE+/saml/sp/logout"/><SingleLogoutService Binding=:HTTP-POST" Location="https://fdm.vpnx.local/+CSCOE+/saml/sp/logout"/></SPSSODescriptor>



Once the metadata.xml from the FTD is provided to the IdP and they add it as a trusted device, a test under the VPN connection can be done.


Verify if the VPN Anyconnect connection was established using SAML as an authentication method with the commands seen below:


FDM# show vpn-sessiondb detail anyconnect

Session Type: AnyConnect Detailed

Username : jbrenesm Index : 3
Assigned IP : Public IP :
Protocol : AnyConnect-Parent SSL-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-256
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA384
Bytes Tx : 14474 Bytes Rx : 5538
Pkts Tx : 10 Pkts Rx : 34
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Group Policy : SAML_GP Tunnel Group : SAML_TG
Login Time : 18:30:35 UTC Tue Sep 14 2021
Duration : 0h:00m:19s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : 00000000000030006140ea4b
Security Grp : none Tunnel Zone : 0

AnyConnect-Parent Tunnels: 1
SSL-Tunnel Tunnels: 1

Tunnel ID : 3.1
Public IP :
Encryption : none Hashing : none
TCP Src Port : 58143 TCP Dst Port : 443
Auth Mode : SAML
Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes
Client OS : win
Client OS Ver: 10.0.19042
Client Type : AnyConnect
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.10.02086
Bytes Tx : 7237 Bytes Rx : 0
Pkts Tx : 5 Pkts Rx : 0
Pkts Tx Drop : 0 Pkts Rx Drop : 0

Tunnel ID : 3.2
Assigned IP : Public IP :
Encryption : AES-GCM-256 Hashing : SHA384
Ciphersuite : ECDHE-RSA-AES256-GCM-SHA384
Encapsulation: TLSv1.2 TCP Src Port : 58153
TCP Dst Port : 443 Auth Mode : SAML
Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes
Client OS : Windows
Client Type : SSL VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.10.02086
Bytes Tx : 7237 Bytes Rx : 5538
Pkts Tx : 5 Pkts Rx : 34
Pkts Tx Drop : 0 Pkts Rx Drop : 0




Some verification commands on the FTD CLI can be used to troubleshoot SAML and Remote Access VPN connection as seen in the bracket:


Verification commands on the FTD CLI:

firepower# show run webvpn
firepower# show run tunnel-group
firepower# show crypto ca certificate
firepower# debug webvpn saml 255

DART from the Anyconnect's user PC. 



I hope it helps

- Josue Brenes (jbrenesm)

Marvin Rhoads
VIP Community Legend

Great writeup - thanks for sharing @Josue Brenes 

One caveat I've encountered is that if "sysopt permit-vpn" is enabled for ANY remote access VPN connection profile or site-to-site VPN on the firewall it will affect all of them (since it is a global command in the running-config)

FYI your bugID that's linked should point to the public-facing site vs. the cdets internal one. i.e., use:

Recognize Your Peers
Content for Community-Ad