Showing results for 
Search instead for 
Did you mean: 

Anyconnect client with SAML Microsoft AAD

VIP Advisor VIP Advisor
VIP Advisor

Hi All


I'm trying to create a VPN policy to use SAML instead of Radius. The SAML IdP is Microsoft AAD.

If I open the ASA (version 9.9(2)52) website, I get correctly redirected to the AAD site and can authenticate myself there. Afterwards I land on the classic Asa login page with a Login failed message.

If I enter the same group-URL into AnyConnect 4.8.01090, I instantly get the following error message in a pop-up:

failed to generate saml authnrequest


debug webvpn saml 255 did only provide this one line here:

 SAML AUTH: SAML hash table cleanup periodic task

and debug webvpn 255 this line:

Public archive directives retrieved from cache for index 1.


Any ideas?


Oh and a bonus question, will the data flow from the client be:

1. AnyConnect - ASA - Microsoft AAD


2. AnyConnect - Microsoft AAD


3 Replies 3

VIP Advisor VIP Advisor
VIP Advisor
Quick update, I got the authentication working now, but that opened some new questions.
Issues was the wrong vpn server hostname that was entered in AAD. I used the load balanced name in AAD and also the SAML profile, that doesn't seem to work. After changing it at both places to the real hostname, it works.

Now I have to get this working with VPN load-balancing and automatic group-policy assignement.

What's the solution to this issue of having load balancing of a SAML based VPN connection???


I am seeing similar console messages when I enable debug webvpn saml 255 

"wrong vpn server hostname" in AAD 

do you mean the wrong URL that willl be used to connect to the remote access service ?

for example below 

OUR_CISCO_ANYCONNECT_FQDN = base-url >>>that is what the users see

traffic flow is 

1. AnyConnect - ASA - Microsoft AAD


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers