Re: AnyConnect (4.10 version) with Azure MFA - Same Azure AD Identifi

Kyujin Choi · ‎06-29-2022

We have three AnyConnect Profiles (3 of Tunnel Groups - i.e A, B, C). A and B AnyConnect Tunnel Group are tied to backend RADIUS servers for authentication. I just followed below AnyConnect doc with MFA. Now Azure MFA works fine for Tunnel Group C (SAML) The challenge is that I can’t make Tunnel Groups A and B for saml because IdP Azure AD Identifier is same.

According to Doc, it cleary said " ASA can support multiple IdPs and has a separate entity ID for each IdP to differentiate them." so I know that ASA can setup multiple IdPs, so I created second AnyConnect from Azure gallery, but a new created application from gallery has a SAME Azure AD SAML Identifier, so ASA is not accepting.

ASA can support multiple IdPs, but if IdP server is same (my case - I published 3 AnyConnect App from Azure Portal and confirmed every App has a SAME Azure AD Identifier). How come I can make three tunnel groups integrated with Azure MFA? We only have one Azure AD tenant now. Thanks!

Please see attached screenshot for Azure AD Identifier and error from ASA (same SSO server)

This is a good youtube clip. The video has two SAML servers (Azure and Duo), not two Azure SSO

(94) Cisco VPN: ASA and Microsoft Azure AD with MFA using SAML - YouTube

Cisco Doc

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215935-configure-asa-anyconnect-vpn-with-micros.html#:~:text=ASA%20can%20support%20multiple%20IdPs%20and%20has%20a,likely%20drops%20this%20message%2C%20and%20SAML%2....

Azure Doc

https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/cisco-anyconnect

Mohammed al Baqari · ‎06-30-2022

Hi,

You can create multiple tunnel-groups with the same saml iDP which is your
Azure Tenant. Not sure where the problem is.? All your tunnel-groups will
authenticate with Azure SSO SAML and pass the assertion back to ASA to
resume.

Here is sample config:

webvpn
saml idp https://sts.windows.net/xxxxxxxxxxxxxxxxxx/
url sign-in https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxx/saml2
url sign-out https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxx/saml2
base-url https://testvpn.testlab.com
trustpoint idp TEST-TP-IDP
trustpoint sp TEST-TP-SP
no signature
force re-authentication
timeout assertion 7200
!
tunnel-group GP-A type remote-access
tunnel-group GP-A general-attributes
address-pool vpn-pool
authorization-server-group ise-lab
accounting-server-group ise-lab
default-group-policy ise-gp-01
tunnel-group GP-A webvpn-attributes
authentication saml
group-alias TEST-VPN enable
saml identity-provider https://sts.windows.net/xxxxxxxxxxxxxxxxxx/
tunnel-group GP-B type remote-access
tunnel-group GP-B general-attributes
address-pool vpn-pool
authorization-server-group ise-lab
accounting-server-group ise-lab
default-group-policy ise-gp-02
tunnel-group GP-B webvpn-attributes
authentication saml
saml identity-provider https://sts.windows.net/xxxxxxxxxxxxxxxxxx/

**** please remember to rate useful posts

Kyujin Choi · ‎07-05-2022

Thanks Mohammed. Please see my reply. Wihtout a same SAML Sign Cert, multiple TGs are not working. Thanks for your config

Mohammed al Baqari · ‎07-05-2022

Hi,

In Azure, each application will have one or more entity ID and one
certificate. The entity IDs represent tunnel groups (one should be selected
as default entity ID).

So on ASA you configure one SAML provider with multiple tunnel groups using
the same trust point.

Hope it's clear now. Otherwise, detail what you are looking for

**** please remember to rate useful posts

Kyujin Choi · ‎07-05-2022

(Updated)

It is possible to use multiple IdP from ASA including Azure AD (same Identifier), however to use a same SAML server, it is required to use a SAME SAML Sign Certificate which I was able to do from Azure Portal. Basically, I imported/exported a certificate from ASA and applied to Azure Portal (SAML Sign Certificate) for all Apps (TG1, TG2, and TG3), now it worked well.

AnyConnect (4.10 version) with Azure MFA - Same Azure AD Identifier