Hello @nathan.browning ,

Ii this working with firepower 2100?
Am i obligated to use one anyconnect app per tunnel group or can be used only one app modifying the entity id string and reply URL on azure?

Hello,
i've tried your procedure and worked!!!! thank you man! you saved me

This was super helpful. Something to note is that you need to create your own PFX certificate which you can use in Azure AD Signing Certificate for all Enterprise App SAML configs.

I believe the need for multiple Azure IdP apps would be prevented once this bug is fixed:

CSCvu23053

CSCwb66890

Hello @nathan.browning ,

can someone explain more part about the certificate?

- External SSL Certificate for your domain registered for anyconnect  (I had a wildcard cert for this)

What certificate did you use? wildcard for your organization or selfsignecertificate?


Best regards,
Ivan

Hello,

So, I've been trying to get this to work and I've been running into issues. I've followed this guide, which is great btw, and when I go to test it I get an error saying that the application with identifier was not found. We have four tunnel groups and have our group urls set up as 'https://subdomain.domain.com',  if I don't add a base-url it looks for 'http://fqdn/saml...' and when I do add a base-url it looks for 'https://domain.com/saml...'. I have the config in Azure set up just like it shows in this guide and I have verified that the URLs are upper/lowercase where needed and using https, I have users assigned to the tunnel group that I'm testing, and have checked the saml metadata on the ASA which has the incorrect URL (http://fqdn/saml...). I'm obviously missing something simple. We're using a FirePower 2110 FTD with ASA 9.14 installed managed by ASDM and using Microsoft Authenticator for MFA.

@MaErre21325  hello dear
yes you need to create different Enterprise app for each tunnel group

Trying to follow this. At the step where you're importing a certificate so you can use the same 1 for multiple apps, which certificate are you using?  Do you need to purchase a 3rd party certificate for this since we wouldn't have the private key for the original one we download?

@mumbles202 When I do this, I use a certificate issued from my PKI, but you can even use self signed or CA issued. What is important is that the certificate used by Azure (the SAML Signing Certificate) is a PFX (including private key) of the certificate you uploaded to your ASA. Here is an overview of a process to use self-signed:

1. Ensure OpenSSL is in the path of my workstation (I can run openssl help and see a list of commands).
2. Generate the private key and CSR with the following command (filing in the prompted details appropraitely) 

openssl req -new -sha256 -newkey rsa:2048 -nodes -keyout private.key -out new.csr ​

• Generate the self-signed certificate with the following commands (you can adjust expiration timeline with the -days flag)

openssl x509 -signkey private.key -in new.csr -req -days 365 -out ASA.crt​

• Combine cert and key into a signed PFX  (with secure password)

openssl pkcs12 -export -name "ASA-IDP-Cert" -out ASA-IDP-Cert.pfx -inkey private.key -in ASA.crt​

• Use "ASA.crt" in your ASA commands above, and upload your "ASA-IDP-Cert.pfx" to each Azure tunnel Enterprise App using the following:
  1. In Signle sign-on blade, Edit Step 3 (SAML Certificates)
  2. Import Certificate and upload "ASA-IDP-Cert.pfx" and enter your cert's password
  3. Make the new cert active, by clicking the 3 dots to the right of the Thumbprint column and clicking "Make certificate active"
  4. Delete the auto-generated inactive cert.

Hope this helps!

Ok thanks.  I didn't think about using OpenSSL.  The PKI environment is being spun down to move all to Entra so this might be a solution.