06-29-2022 11:54 AM - edited 06-30-2022 05:10 AM
We have three AnyConnect Profiles (3 of Tunnel Groups - i.e A, B, C). A and B AnyConnect Tunnel Group are tied to backend RADIUS servers for authentication. I just followed below AnyConnect doc with MFA. Now Azure MFA works fine for Tunnel Group C (SAML) The challenge is that I can’t make Tunnel Groups A and B for saml because IdP Azure AD Identifier is same.
According to Doc, it cleary said " ASA can support multiple IdPs and has a separate entity ID for each IdP to differentiate them." so I know that ASA can setup multiple IdPs, so I created second AnyConnect from Azure gallery, but a new created application from gallery has a SAME Azure AD SAML Identifier, so ASA is not accepting.
ASA can support multiple IdPs, but if IdP server is same (my case - I published 3 AnyConnect App from Azure Portal and confirmed every App has a SAME Azure AD Identifier). How come I can make three tunnel groups integrated with Azure MFA? We only have one Azure AD tenant now. Thanks!
Please see attached screenshot for Azure AD Identifier and error from ASA (same SSO server)
This is a good youtube clip. The video has two SAML servers (Azure and Duo), not two Azure SSO
(94) Cisco VPN: ASA and Microsoft Azure AD with MFA using SAML - YouTube
Cisco Doc
Azure Doc
https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/cisco-anyconnect
06-30-2022 06:39 AM
07-05-2022 07:47 AM
Thanks Mohammed. Please see my reply. Wihtout a same SAML Sign Cert, multiple TGs are not working. Thanks for your config
07-05-2022 09:20 AM
07-05-2022 07:45 AM - edited 07-05-2022 07:45 AM
It is possible to use multiple IdP from ASA including Azure AD (same Identifier), however to use a same SAML server, it is required to use a SAME SAML Sign Certificate which I was able to do from Azure Portal. Basically, I imported/exported a certificate from ASA and applied to Azure Portal (SAML Sign Certificate) for all Apps (TG1, TG2, and TG3), now it worked well.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide