Sure!

We basically followed this document:

The key for us was to set the AAA server for the SAML profile to use authorization i/of authentication:

    tunnel-group SAML general-attributes
authorization-server-group LDAP_SECURE

aaa-server LDAP_SECURE (inside) host x.x.x.x
...
ldap-attribute-map Test-Group-Assignment

ldap attribute-map Test-Group-Assignment
map-name VPNGroup Group-Policy
map-value  TEST Test-Group-Assignment

Sorry, accidentally posted before adding the link to the document:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/configuration/vpn/asa-97-vpn-config/webvpn-configure-users.html

Note that even though the documentation says 'clientless' it does indeed work with AnyConnect clients.

The other key thing I would point out is that if you change any part of the SAML Identity provider configuration you need to remove the SAML config from the Profile configuration and re-apply it.  This is a bug.

You also need to be at ASA version 9.7.1.24 (or later)

Let me know know if you have any other questions.

Lynne

Thanks!  Which document were you referring to?

This document; please see my follow -up post as well:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/configuration/vpn/asa-97-vpn-config/webvpn-configure-users.html

Hi Lynne, 

I'm trying to set this up in my environment, but I am more familiar with ASDM than the CLI. I'm wondering if you might be able to provide some additional instructions to set this up in the ASDM? 

I have the SAML authentication working (with Duo MFA), however when I try to add any of the LDAP attribute maps to map an AD group to an ASA group policy it doesn't appear to do anything since I always get the group policy assigned to the Anyconnect profile I'm using. 

Thanks for any help you can provide! 

Jordan,

Were the LDAP attribute maps working previously? Eg. before you set up the SAML authentication?  Or is this a new configuration?

And you have configured the LDAP attribute map in the profile as AAA authorization, yes?

It would be very helpful for you to login to the ASA command line and do AAA debugging; that will show you what values are being returned from the AD server; your issue could be there as well.

Debug aaa authorization

Lynne

Hi Lynne,

After looking at other configuration tutorials I found that I might need to set up a "no access" group policy and configure it as the default policy for my tunnel group profile. However, I tried this and it still didn't work. I'm curious if you needed to configure a "no access" default policy for the SAML profile?

The following is my sanitized configuration and some debugs if it helps. I’m wondering if the issue might be that ADFS is sending my username back as username@company.com instead of just username?

Thanks!

Jordan

Campus-ASA# sh run aaa-server UNW-AD

aaa-server UNW-AD protocol ldap

reactivation-mode timed

max-failed-attempts 5

aaa-server UNW-AD (Inside) host 10.10.10.10

timeout 30

server-port ****

ldap-base-dn dc=emp,dc=company,dc=com

ldap-group-base-dn dc=emp,dc=company,dc=com/groups

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *****

ldap-login-dn ldapuser@company.com

ldap-over-ssl enable

server-type microsoft

ldap-attribute-map UNWMFA-VPNAcess

Campus-ASA#

!

Campus-ASA# sh run ldap attribute-map UNWMFA-VPNAcess

map-name  memberOf Group-Policy

map-value memberOf cn=VPNAccess,ou=groups,dc=emp,dc=company,dc=com NWCVPN

Campus-ASA#

!

Campus-ASA# sh run group-policy NWCVPN

group-policy NWCVPN internal

group-policy NWCVPN attributes

dns-server value 10.10.10.11 10.10.10.12

vpn-simultaneous-logins 3

vpn-filter value VPN-in

vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VPN-in

default-domain value emp.company.com

vlan none

address-pools value VPN-DHCP

Campus-ASA#

!

Campus-ASA# sh run tunnel-group UNWMFA

tunnel-group UNWMFA type remote-access

tunnel-group UNWMFA general-attributes

address-pool VPN-DHCP

authorization-server-group UNW-AD

default-group-policy NoAccess

tunnel-group UNWMFA webvpn-attributes

authentication saml

group-alias UNWMFA enable

group-url https://vpn.company.com/saml enable

without-csd

saml identity-provider http://adfs.company.com/adfs/services/trust

Campus-ASA#

!

Campus-ASA# show run group-policy NoAccess

group-policy NoAccess internal

group-policy NoAccess attributes

dns-server value 10.10.10.11

vpn-simultaneous-logins 0

vpn-tunnel-protocol ssl-client

Campus-ASA#

!

Campus-ASA# debug dap trace 255

Campus-ASA# debug webvpn saml 255

Campus-ASA# debug aaa authorization

Campus-ASA#

Campus-ASA# Nov 12 10:52:40

[SAML] build_authnrequest:

https:// adfs.company.com /adfs/ls/?SAMLRequest=fVFda4M********************3D%3D

[SAML] saml_is_idp_internal: getting SAML config for tg UNWMFA

SAML AUTH: SAML hash table cleanup periodic task

Nov 12 10:53:09

[SAML] consume_assertion:

PHNh***********

 12 10:53:09 [SAML] NotBefore:2019-11-12T16:53:09.277Z NotOnOrAfter:2019-11-12T17:53:09.277Z timeout: 300

Nov 12 10:53:09 [SAML] consume_assertion: <Session xmlns="http://www.entrouvert.org/namespaces/lasso/0.0" Version="2"><Assertion RemoteProviderID="http://***********/adfs/services/trust"><Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_************-9f17-082d486c6e08" IssueInstant="2019-11-12T16:53:09.277Z" Version="2.0"><Issuer>http:// adfs.company.com /adfs/services/trust</Issuer><ds:Signature xmlns:ds="***************:SAML:1.1:nameid-format:unspecified">username@company.com</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="_6B27A7A**********B4E" NotOnOrAfter="2019-11-12T16:58:09.277Z" Recipient="https://vpn.company.com/+CSCOE+/saml/sp/acs?tgname=UNWMFA"/></SubjectConfirmation></Subject><Conditions NotBefore="2019-11-12T16:53:09.277Z" NotOnOrAfter="2019-11-12T17:53:09.277Z"><AudienceRestriction><Audience>https://vpn.company.com/saml/sp/metadata/UNWMFA</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"><AttributeValue>username@company.com</AttributeValue></Attribute><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"><AttributeValue>username@company.com</AttributeValue></Attribute></AttributeStatement><AuthnStatement AuthnInstant="2019-11-12T16:53:00.877Z" SessionIndex="_**************-9f17-082d486c6e08"><AuthnContext><AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion></Assertion><NidAndSessionIndex ProviderID="http://adfs.company.com/adfs/services/trust" AssertionID="_******************" SessionIndex="_*****************">

<saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unNov 12 10:53:09

[SAML] consume_assertion:

http://adfs.company.com/adfs/services/trust username@company.com

[saml] webvpn_login_primary_username: SAML assertion validation succeeded

Start timer for verifying token 7********************

Username "username@company.com" added to list with token 7**************

saml_auth_is_valid_token: SAML ac token being looked 7*************

saml_ac_v2_process_auth_request: SAML ac token being looked 7************

SAML AUTH: authentication success

[6974] Session Start

[6974] New request Session, context 0x00007****0, reqType = Other

[6974] Fiber started

[6974] Creating LDAP context with uri=ldaps://10.10.10.10:****

[6974] Connect to LDAP server: ldaps://10.10.10.10:****, status = Successful

[6974] supportedLDAPVersion: value = 3

[6974] supportedLDAPVersion: value = 2

[6974] Binding as ldapuser@emp.company.com

[6974] Performing Simple authentication for ldapuser@company.com to 10.10.10.10

[6974] LDAP Search:

        Base DN = [dc=emp,dc=company,dc=com]

        Filter  = [sAMAccountName=username@company.com]

        Scope   = [SUBTREE]

[6974] Search result parsing returned failure status

[6974] Fiber exit Tx=269 bytes Rx=680 bytes, status=-1

[6974] Session End

SAML AUTH: SAML hash table cleanup periodic task

Campus-ASA#

Any traction on this?

We'd like to implement SAML with DUO for Anyconnect clients but are running into the same issue with missing the authorization piece. 

Did you run any debugs on the ASA? That will show you exactly what the authorization server is returning, and may point you in the right direction.

I found this command to be helpful:

      debug webvpn saml

This is the correct debug command even if you are using AnyConnect.

Lynne

Lynne

Jordan,

I don't know if you were able to resolve your issue but I was seeing the same thing with the username being username@company.com instead of just username.

The way I fixed this issue was setting the Naming Attribute value in your LDAP server to userPrincipalName

Hope this helps.

Hi @lynne.meeks ,

May I ask if you did anything special to get the above to work? As I understand you are using SAML for authentication, and then have configured LDAP as authorization on the tunnel-group.

I am trying the same, and I see that all LDAP attributes are returned, however its like my LDAP attribute map is not kicking in - user is not assinged correct group policy.

LDAP attribute maps look like this:

ldap attribute-map TEST-group-assign
map-name memberof Group-Policy
map-value memberof CN=VPN_SSL_Base,OU=VPN,OU=Groups,DC=fqdn,DC=local GPO-AAD-TEST2

hence the above should make sure that if user is member of group "VPN_SSL_Base" he is mapped to group-policy "GPO-AAD-TEST2" - but I cannot get it to work.

/Rasmus