cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2527
Views
5
Helpful
12
Replies

Anyconnect SAML with IP address for configuration base-url

jewfcb001
Level 4
Level 4

Hi All

I try to configure SAML for authenticate with anyconnect but  under  webvpn configuration for saml 

I configure IP for ip of firewall but i found the issue about after redirect cannot trust certificate 

I'm not sure this configuration working or not If use ip address for configuration base-url 

Please help me .

webvpn
saml idp https://sts.windows.net/xxxxxxxxxxxxx/ - [Azure AD Identifier] 
url sign-in https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxxx/saml2 - [Login URL] 
url sign-out https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0 – [Logout URL] – 
trustpoint idp AzureAD-AC-SAML - [IdP Trustpoint]
trustpoint sp ASA-EXTERNAL-CERT - [SP Trustpoint]
no force re-authentication
no signature
base-url https://ip-address

 

1 Accepted Solution

Accepted Solutions

You generally need to use a CA-signed certificate from a well-known public CA on the ASA end for SAML since Azure needs to trust the issuing CA.

View solution in original post

12 Replies 12

balaji.bandi
Hall of Fame
Hall of Fame

because it has self signed that complaints as expected., if this is piblic facing i would suggest to use proper cert to void security risk.

suggest to use FQDN rather IP address ? (few backs i have tested using FQDN works as expected)

you can check some logs and debug :

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215935-configure-asa-anyconnect-vpn-with-micros.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

@balaji.bandi 
We meet again . Thank you for answer . I think so . I will update to the customer for use FQDN .

@balaji.bandi  

Hi Balaji 

I try to configure base-url https://FQDN  but still found the issue not trust certificate. please suggest me.

 

 

 

 

is this cert generated by local PKI or Public PKI

if you local one you need to add root cert to browser.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

@balaji.bandi 

Trustpoint idp  ( I use cert from azure)

Trustpoint sp ( I use asdm certificate ) I'm not sure this is correct or not?

You generally need to use a CA-signed certificate from a well-known public CA on the ASA end for SAML since Azure needs to trust the issuing CA.

@Marvin Rhoads 

Thank you for the answer.  SAML need certificate for trust with client. 

jewfcb001
Level 4
Level 4

@balaji.bandi 

Hi Balaji

If I test in my lab. Can I export self-sign certificate from asa and install in the client ?  In case not sign certificate from enterprise cert.

 

as long as the end device has that root cert installed it should not complain.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

jewfcb001
Level 4
Level 4

Thank you for all the answer . After I tried to certificate for trust client. It's working fine. 

After I tried to certificate for trust client. It's working fine. 

this what our suggestion before also right ? any way glad you able to fix the issue.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

@balaji.bandi 

Answer by Marvin