Preface: I had a hard time locating documentation for configuring AnyConnect with Azure AD as a SAML IdP - So I took some notes and thought I'd share. I hope it helps someone.
Azure Setup
Login to Azure Portal (https://portal.azure.com)
Click Azure Active Directory
Click Enterprise Applications -> New Application -> Non-Gallery Application
Give it a Name (I'll use AnyConnect-SAML) and click Add at the bottom.
Click the Single sign-on menu Item.
Select SAML
Download the Certificate Base64 from section 3 (We'll install this later)
Make note of the following from Section 4:
Azure AD Identifier - This will be the saml idp in our VPN configuration.
Login URL - This will be the url sign-in
Logout URL - This will be the url sign-out
At this point you have the Data Required to begin configuring the VPN Appliance.
We will need to come back here after configuring the VPN Tunnel-Group and grabbing the metadata.
VPN Configuration - CLI
Alright, we're going to do this on the CLI first, I might come back through and do an ASDM walk-through at another time.
Connect to your VPN Appliance, we're going to be using an ASA running 9.8 code train, and our VPN clients will be 4.6+
Please note there are SAML 2.0 minimum requirements (I believe they are ASA 9.7+ and AC 4.5+ otherwise SAML 2.0 isn't supported or you need to use external browser config… this is outside the scope of this walk-through)
First we'll create a Trustpoint and import our SAML cert.
config t
crypto ca trustpoint AzureAD-AC-SAML
revocation-check none
no id-usage
enrollment terminal
no ca-check
crypto ca authenticate AzureAD-AC-SAML
-----BEGIN CERTIFICATE-----
…
PEM Certificate Text from download goes here
…
-----END CERTIFICATE-----
quit
The following commands will provision your SAML IdP
webvpn
saml idp https://sts.windows.net/xxxxxxxxxxxxx/ (This is your Azure AD Identifier from SSO Section 4 of Azure App)
url sign-in https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxxx/saml2 (Login URL: SSO Section 4 of Azure App)
url sign-out https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0 (Logout URL)
trustpoint idp AzureAD-AC-SAML
trustpoint sp (Trustpoint for SAML Requests - you can use your existing external cert here)
no force re-authentication
no signature
base-url https://my.asa.com
Now you can apply SAML Authentication to a VPN Tunnel Configuration.
(Configuration of a VPN Tunnel Group or Group Policy is beyond the scope of this document)
tunnel-group AC-SAML webvpn-attributes
saml identity-provider https://sts.windows.net/xxxxxxxxxxxxx/
authentication saml
end
write mem
*Note: There's a feature with the SAML IdP configuration - If you make changes to the IdP config you need to remove the saml identity-provider config from your Tunnel Group and re-apply it for the changes to become effective.
Finishing up with the Azure AD App
We're now ready to grab the meta-data for our tunnel config and finish the Azure application configuration.
You can use a URL similar to below to view the SP metadata.
my.asa.com = the address at which my ASA is reachable
AC-SAML is the tunnel group name configured for SAML auth.
SP Metadata:
https://my.asa.com/saml/sp/metadata/AC-SAML (Also your Entity ID - Azure App Section 1)
In the metadata XML look for AssertionCustomerService, the Location field in this tag is the Reply URL for the Azure App In SSO Section 1.
Edit the Basic Configuration Section by clicking on the pencil in the top right.
Add the Entity ID & Reply URL
Click Save in the SAML Basic Configuration.
You should now have the basic communication between the ASA and Azure AD wired up.
You may need to add user permissions to the app in Azure AD and conditional access policy for multi-factor, etc.
All beyond the scope of this walk-through, but highly recommended.
Hello,
I have found the solution for the always on enabled redirectect problem.
Anyconnect VPN profile editor for the windows application ( 4.9 and 4.10 versiyon has an update.)
You can add allow hosts address to that to the profile (loginmicrosoftonline.com vb... )
I could not see that area on the ASDM, (Maybe it can be seen after ASDM update on the ASA device )
I had the same issue someone else mentioned before (see screenshot below) so I want to be specific about the solution: the ASA needs a later version (I was using 9.7 and that's why I was getting an external/additional browser instead of the one embedded into the new ASA/anyconnect version so I upgraded it both to 9.12.3). Older ASA versions do not support SHA-256 cert presented by Azure (trustpoint idp XXXX - Azure cert in the ASA configuration) and that is another reason because it failed.
In addition to that, you do not need to unchecked the "always on" or add an URL in the anyconnect profile as mentioned before even though looks like it was a workaround.
After upgrading the appliance/client on my laptop, the problem was basically Azure configuration not properly synchronized the metadata information from ASA (ASA Certificate used for outside interface, location,Reply URL,etc). As another option to the URL indicated at the beginning of this post, go to CLI and run the following command:
ASA# sh saml metadata TUNNEL-GROUP-NAME (SP CERTIFICATE INFORMATION, LOCATION, REPLY URL, ETC)
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<EntityDescriptor entityID="https://VPN.COMPANY.NET/saml/sp/metadata/TUNNEL-GROUP-NAME" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>KTAYt1+iBuU2XRx5H/MmKiTtt8X074+56vCaiUXJsYMYnaGI (***SOME OUTPUT ABOUT THE ASA CERTIFICATE WAS OMITTED)
ua9UBYGbO5HjvCuQClPK6ncgFXDb6IS4
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<AssertionConsumerService index="0" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://VPN.COMPANY.NET/+CSCOE+/saml/sp/acs?tgname=TUNNEL-GROUP-NAME" />
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://VPN.COMPANY.NET/+CSCOE+/saml/sp/logout"/><SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://VPN.COMPANY.NET/+CSCOE+/saml/sp/logout"/></SPSSODescriptor>
</EntityDescriptor>
ASA#
Copy and save the "bold" information above up to the </EntityDescriptor> into notepad, go to Azure site --- > Anyconnect SAML Profile and upload the notepad information (another screenshot below). That would allow to have both sides properly sync'ed.
