Anyconnect client with SAML Microsoft AAD

patoberli · ‎11-26-2019

Hi All

I'm trying to create a VPN policy to use SAML instead of Radius. The SAML IdP is Microsoft AAD.

If I open the ASA (version 9.9(2)52) website, I get correctly redirected to the AAD site and can authenticate myself there. Afterwards I land on the classic Asa login page with a Login failed message.

If I enter the same group-URL into AnyConnect 4.8.01090, I instantly get the following error message in a pop-up:

failed to generate saml authnrequest

debug webvpn saml 255 did only provide this one line here:

SAML AUTH: SAML hash table cleanup periodic task

and debug webvpn 255 this line:

Public archive directives retrieved from cache for index 1.

Any ideas?

Oh and a bonus question, will the data flow from the client be:

1. AnyConnect - ASA - Microsoft AAD

or

2. AnyConnect - Microsoft AAD

?

patoberli · ‎11-26-2019

Quick update, I got the authentication working now, but that opened some new questions.
Issues was the wrong vpn server hostname that was entered in AAD. I used the load balanced name in AAD and also the SAML profile, that doesn't seem to work. After changing it at both places to the real hostname, it works.

Now I have to get this working with VPN load-balancing and automatic group-policy assignement.

webabc123 · ‎09-15-2020

What's the solution to this issue of having load balancing of a SAML based VPN connection???

sbyrne · ‎09-14-2022

hello

I am seeing similar console messages when I enable debug webvpn saml 255

"wrong vpn server hostname" in AAD

do you mean the wrong URL that willl be used to connect to the remote access service ?

for example below

OUR_CISCO_ANYCONNECT_FQDN = base-url https://DRsslvpn.123.ie >>>that is what the users see

traffic flow is

1. AnyConnect - ASA - Microsoft AAD