07-14-2022 02:47 PM
I am trying to set up SAML for authentication to one of my ASAs. In order to not interfere with the current AnyConnect authentication I created a "group URL" - www.acme.com/SAML to trigger the new connection profile. Then within the SSO and SAML parameters I have tried making the base URL (https) www.acme.com/SAML.
Then If I try to connect to www.acme.com/SAML a browser window starts to open as if it's going to succeed. But then it shows the error "wrong URL". Can someone give some insight as to what the base URL should be in my case where I'm trying to differentiate this traffic with a group URL before making it the default www.acme.com? Any tips to troubleshoot? I have another ASA that is working for SAML to Azure but it doesn't have a group URL involved. So I'm suspecting there's something in that that's causing the problem.
Solved! Go to Solution.
07-15-2022 08:14 AM
Came across your post because I get a message that says wrong URL when I setup my 2nd SAML authenticated tunnel group.
Base URL should just be the URL of your ASA. So in the example you ahve given above, the base URL in the ASA CLI config should just be www.acme.com assuming www.acme.com resolves to an interface on your ASA.
07-15-2022 08:14 AM
Came across your post because I get a message that says wrong URL when I setup my 2nd SAML authenticated tunnel group.
Base URL should just be the URL of your ASA. So in the example you ahve given above, the base URL in the ASA CLI config should just be www.acme.com assuming www.acme.com resolves to an interface on your ASA.
07-15-2022 08:58 AM
Great - I'll give that a try.
07-15-2022 09:35 AM
The result of removing the /SAML is that browser window pops up but now a message "Can't reach this page. Make sure https://https is correct." appears. I went back to Edit SSO Server parameters to make sure I didn't somehow include an https:// prefix in Sign in, Sigh out or Base URL nor in the IDP Entity ID. No double dipping.
ASA01/sec/act# sho run | i ows
saml idp https://sts.windows.net/88888166-f247-4dee-a6f9-XXXXXXXX
saml identity-provider https://sts.windows.net/88888166-f247-4dee-a6f9-XXXXXXXX
ASA01/sec/act# sho run | i micro
server-type microsoft
url sign-in https://login.microsoftonline.com/88888166-f247-4dee-a6f9-XXXXXXXXsaml2
url sign-out https://login.microsoftonline.com/88888166-f247-4dee-a6f9-XXXXXXXXsaml2
ASA01/sec/act# sho run | i www.acme
base-url https://www.acme.com
group-url https://www.acme.com/SAML enable
But it's still a big help to have verification that the base URL should just be the URL of the ASA itself.
07-15-2022 09:48 AM
I removed the SAML Identity Provider info in ASDM and recreated it. Now the MFA request is getting to Azure.
But the authentication failed due to retrieval of single sign on cookie.
07-15-2022 10:13 AM
The sign in cookie thing feels familiar but I don't remember the fix fully. In azure do you have your reply URL correct? Actually, I am guessing you are using Azure.
Reply URL needs to end with +CSCOE+/saml/sp/acs?tgname=<tunnel-group name>
So in your example https://www.acme.com/+CSCOE+/saml/sp/acs?tgname=SAML
I think I got that error a bunch when I first setup SAML on an ASA and I did not have the proper reply URL. I could be miss remembering the error though.
07-15-2022 11:32 AM
The "Reply URL" refers to what is sent back from Azure to the ASA, correct? I don't see anything called "Reply URL" within the ASA so I'm assuming that's the case.
07-15-2022 12:04 PM
Correct, the reply URL is the URL the SAML provider uses to redirect back to the ASA after authentication. It is configured at the IdP.
07-15-2022 12:38 PM
debug webspn ssl is showing a signature mismatch issue. Something with the cert - or the import method perhaps?
[SAML] consume_assertion:
PHNhbWxwOlJlc3Bvb....ybWF0aW9uRGF0YSBJblJlc3BJul 15 12:28:26 [Lasso] func=xmlSecOpenSSLEvpSignatureVerify:file=/local/jenkins/workspace/fxplatform/Builds/release__2.6.1_fcs_hammersmith/build-smp-compile/fxos/linux/wrlinux/bitbake_build/tmp/work/corei7-64-wrs-linux/xmlsec1/1.2.20-r1/xmlsec1-1.2.20/src/openssl/signatures.c:line=493:obj=rsa-sha256:subj=EVP_VerifyFinal:error=18:data do not match:signature do not match
Jul 15 12:28:26 [SAML] consume_assertion: Failed to verify signature.
Jul 15 12:28:26
[SAML] consume_assertion:
[saml] webvpn_login_primary_username: SAML assertion validation failed
SAML AUTH: SAML hash table cleanup periodic task
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide