AnyConnect Azure SAML Help

jerick70 · ‎06-09-2022

Hi,

I'm trying to setup a SAML authenticated VPN on my ASA to Microsoft Azure AD. ASA Version: 9.14(2)15 on ASA 5516. AnyConnect Client 4.10(newest)

Problem: I've followed the Cisco configuration guide for SAML Auth with Azure AD and I can login to Azure AD; I connect with Anyconnect and choose the profile group that is setup for SAML, the MS login window comes up I put in my company email and password. The Microsoft window says I'm logged in and ask me if I want to stayed logged in, I say no. then a browser window opens on my ASA that tells me the URL is forbidden.

What's going on here? I've check and triple checked the settings. Any help would be very much appreciated.

Thanks in advance!

mlopez1515 · ‎03-09-2023

Hello,

I'm having the same issue. Where you able to fix this?

jerick70 · ‎03-10-2023

@mlopez1515 No I never found a solution. You will want to call Cisco and open a ticket with them.

podvarka · ‎11-08-2023

hello; is any progress in this, please ?

I have the same problem; my opinion is that this message is not from Cisco side but as result of MS MFA authentication; but not able to prove it ...

Petr

gajownik · ‎11-09-2023

While troubleshooting these types of problems in TAC we usually ask customers to provide HAR file with a connection flows:
https://toolbox.googleapps.com/apps/har_analyzer/

First thing that should be checked is whether IdP asks a browser to send assertion to the proper Assertion Consumer Service URL. It can be verified with below URL:
https://<fqdn>/saml/sp/metadata/<tunnel-group>

Sometimes users get redirected to the wrong URL. In some cases incorrect "portal-access-rule" can also block connections.
Without HAR, show tech output and debugs it will be rather hard to provide any other advise.

debug webvpn 255
debug webvpn anyconnect 255
debug webvpn session 255
debug webvpn saml 255
debug webvpn request 255

podvarka · ‎11-09-2023

thank you; seems to be best to open the case

Marvin Rhoads · ‎11-15-2023

In a recent customer case, the problem was indeed with the "portal-access-rule". The customer had a "deny any" value. Removing that fixed it. I suggested using a webvpn keepout value instead.

From what I figure, the portal-access-rule prevented the iDP (Duo SSO in the case I was working but it would apply to any iDP) from replying to the ASA with an HTTP POST message for the Assertion Consumer Service that's otherwise listening for the result.

gsauvage6hat · ‎12-07-2023

Thank you guys !

I had the exact same issue, and started to go crazy : Cisco ASA, Secure Client, Azure AD, SAML, and this blank window with "Forbidden"...

I used DART to have full logs, and found this line : Portal access rule priority 10 matched, action=denied, code= 403

I found this strange, because it's related to Clientless SSL. But, I found your topic, and I confirm, when I removed it, I went a step further.

Then, I add "log in denied. Your environment does not meet the access criteria defined by your administrator", which was caused by Dynamic Access Policy".

Now, everything is working as expected !

Thank you again