12-13-2022 11:05 PM
Hi All
I try to configure SAML for authenticate with anyconnect but under webvpn configuration for saml
I configure IP for ip of firewall but i found the issue about after redirect cannot trust certificate
I'm not sure this configuration working or not If use ip address for configuration base-url
Please help me .
webvpn saml idp https://sts.windows.net/xxxxxxxxxxxxx/ - [Azure AD Identifier] url sign-in https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxxx/saml2 - [Login URL] url sign-out https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0 – [Logout URL] – trustpoint idp AzureAD-AC-SAML - [IdP Trustpoint] trustpoint sp ASA-EXTERNAL-CERT - [SP Trustpoint] no force re-authentication no signature base-url https://ip-address
Solved! Go to Solution.
12-27-2022 05:23 AM
You generally need to use a CA-signed certificate from a well-known public CA on the ASA end for SAML since Azure needs to trust the issuing CA.
View solution in original post
12-13-2022 11:47 PM
because it has self signed that complaints as expected., if this is piblic facing i would suggest to use proper cert to void security risk.
suggest to use FQDN rather IP address ? (few backs i have tested using FQDN works as expected)
you can check some logs and debug :
https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215935-configure-asa-anyconnect-vpn-with-micros.html
BB
***** Rate All Helpful Responses *****
How to Ask The Cisco Community for Help
12-14-2022 12:34 AM
@balaji.bandi We meet again . Thank you for answer . I think so . I will update to the customer for use FQDN .
12-23-2022 03:45 PM - edited 12-23-2022 03:45 PM
@balaji.bandi
Hi Balaji
I try to configure base-url https://FQDN but still found the issue not trust certificate. please suggest me.
12-23-2022 04:38 PM
is this cert generated by local PKI or Public PKI
if you local one you need to add root cert to browser.
12-23-2022 04:55 PM
Trustpoint idp ( I use cert from azure)
Trustpoint sp ( I use asdm certificate ) I'm not sure this is correct or not?
12-27-2022 07:06 PM
@Marvin Rhoads
Thank you for the answer. SAML need certificate for trust with client.
12-26-2022 04:31 AM
If I test in my lab. Can I export self-sign certificate from asa and install in the client ? In case not sign certificate from enterprise cert.
12-26-2022 05:01 AM
as long as the end device has that root cert installed it should not complain.
12-27-2022 07:05 PM
Thank you for all the answer . After I tried to certificate for trust client. It's working fine.
12-29-2022 12:31 AM
After I tried to certificate for trust client. It's working fine.
this what our suggestion before also right ? any way glad you able to fix the issue.
12-29-2022 02:16 AM
Answer by Marvin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
Log in to Community
