Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3601
Views
0
Helpful
8
Replies

AnyConnect SAML Auth Yielding "Wrong URL" Error

Go to solution
CiscoMedMed
Level 1
Level 1

‎07-14-2022 02:47 PM

I am trying to set up SAML for authentication to one of my ASAs. In order to not interfere with the current AnyConnect authentication I created a "group URL" - www.acme.com/SAML to trigger the new connection profile. Then within the SSO and SAML parameters I have tried making the base URL (https) www.acme.com/SAML.

Then If I try to connect to www.acme.com/SAML a browser window starts to open as if it's going to succeed. But then it shows the error "wrong URL". Can someone give some insight as to what the base URL should be in my case where I'm trying to differentiate this traffic with a group URL before making it the default www.acme.com? Any tips to troubleshoot? I have another ASA that is working for SAML to Azure but it doesn't have a group URL involved. So I'm suspecting there's something in that that's causing the problem.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jeremy.giacobbe
Level 1
Level 1

‎07-15-2022 08:14 AM

Came across your post because I get a message that says wrong URL when I setup my 2nd SAML authenticated tunnel group.

Base URL should just be the URL of your ASA. So in the example you ahve given above, the base URL in the ASA CLI config should just be www.acme.com assuming www.acme.com resolves to an interface on your ASA. 

View solution in original post

0 Helpful
8 Replies 8

Go to solution
jeremy.giacobbe
Level 1
Level 1

‎07-15-2022 08:14 AM

Came across your post because I get a message that says wrong URL when I setup my 2nd SAML authenticated tunnel group.

Base URL should just be the URL of your ASA. So in the example you ahve given above, the base URL in the ASA CLI config should just be www.acme.com assuming www.acme.com resolves to an interface on your ASA. 

0 Helpful

Go to solution
CiscoMedMed
Level 1
Level 1
In response to jeremy.giacobbe

‎07-15-2022 08:58 AM

Great - I'll give that a try.

0 Helpful

Go to solution
CiscoMedMed
Level 1
Level 1
In response to jeremy.giacobbe

‎07-15-2022 09:35 AM

The result of removing the /SAML is that browser window pops up but now a message "Can't reach this page. Make sure https://https is correct." appears. I went back to Edit SSO Server parameters to make sure I didn't somehow include an https:// prefix in Sign in, Sigh out or Base URL nor in the IDP Entity ID. No double dipping. 

ASA01/sec/act# sho run | i ows
saml idp https://sts.windows.net/88888166-f247-4dee-a6f9-XXXXXXXX
saml identity-provider https://sts.windows.net/88888166-f247-4dee-a6f9-XXXXXXXX

ASA01/sec/act# sho run | i micro
server-type microsoft
url sign-in https://login.microsoftonline.com/88888166-f247-4dee-a6f9-XXXXXXXXsaml2
url sign-out https://login.microsoftonline.com/88888166-f247-4dee-a6f9-XXXXXXXXsaml2

ASA01/sec/act# sho run | i www.acme
base-url https://www.acme.com
group-url https://www.acme.com/SAML enable

But it's still a big help to have verification that the base URL should just be the URL of the ASA itself.

 

0 Helpful

Go to solution
CiscoMedMed
Level 1
Level 1

‎07-15-2022 09:48 AM

I removed the SAML Identity Provider info in ASDM and recreated it. Now the MFA request is getting to Azure. 
But the authentication failed due to retrieval of single sign on cookie. 

0 Helpful

Go to solution
jeremy.giacobbe
Level 1
Level 1
In response to CiscoMedMed

‎07-15-2022 10:13 AM

The sign in cookie thing feels familiar but I don't remember the fix fully. In azure do you have your reply URL correct? Actually, I am guessing you are using Azure. 

Reply URL needs to end with +CSCOE+/saml/sp/acs?tgname=<tunnel-group name>

So in your example https://www.acme.com/+CSCOE+/saml/sp/acs?tgname=SAML

I think I got that error a bunch when I first setup SAML on an ASA and I did not have the proper reply URL. I could be miss remembering the error though.

0 Helpful

Go to solution
CiscoMedMed
Level 1
Level 1
In response to jeremy.giacobbe

‎07-15-2022 11:32 AM

The "Reply URL" refers to what is sent back from Azure to the ASA, correct? I don't see anything  called "Reply URL" within the ASA so I'm assuming that's the case.

0 Helpful

Go to solution
jeremy.giacobbe
Level 1
Level 1
In response to CiscoMedMed

‎07-15-2022 12:04 PM

Correct, the reply URL is the URL the SAML provider uses to redirect back to the ASA after authentication. It is configured at the IdP.

0 Helpful

Go to solution
CiscoMedMed
Level 1
Level 1
In response to jeremy.giacobbe

‎07-15-2022 12:38 PM

debug webspn ssl is showing a signature mismatch issue. Something with the cert - or the import method perhaps?

[SAML] consume_assertion:
PHNhbWxwOlJlc3Bvb....ybWF0aW9uRGF0YSBJblJlc3BJul 15 12:28:26 [Lasso] func=xmlSecOpenSSLEvpSignatureVerify:file=/local/jenkins/workspace/fxplatform/Builds/release__2.6.1_fcs_hammersmith/build-smp-compile/fxos/linux/wrlinux/bitbake_build/tmp/work/corei7-64-wrs-linux/xmlsec1/1.2.20-r1/xmlsec1-1.2.20/src/openssl/signatures.c:line=493:obj=rsa-sha256:subj=EVP_VerifyFinal:error=18:data do not match:signature do not match

Jul 15 12:28:26 [SAML] consume_assertion: Failed to verify signature.
Jul 15 12:28:26
[SAML] consume_assertion:

[saml] webvpn_login_primary_username: SAML assertion validation failed
SAML AUTH: SAML hash table cleanup periodic task

0 Helpful
Customers Also Viewed These Support Documents