Solved: Re: Anyconnect VPN SAML SSO with Multi-Tunnel Groups - Page 2

jewfcb001 · ‎09-26-2023

Hi All ,
I found the information can deploy multi tunnel group but I confuse about configuration under webvpn
what is the attribute for saml idp / url sign-in / url-out ? because i have multi Azure APP for SAML Authen.
Please help me.

webvpn
 saml idp https://sts.windows.net/xxxxxxxxxxxxx/ (This is your Azure AD Identifier from the Set up Cisco AnyConnect section in the Azure portal)
 url sign-in https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxxx/saml2 (This is your Login URL from the Set up Cisco AnyConnect section in the Azure portal)
 url sign-out https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0 (This is Logout URL from the Set up Cisco AnyConnect section in the Azure portal)

https://community.cisco.com/t5/security-knowledge-base/anyconnect-vpn-saml-sso-with-azure-idp-multi-tunnel-groups/ta-p/4563095

jewfcb001 · ‎10-02-2023

@Milos_Jovanovic Please help check with my understand .

For ASA/FTD , after get cert from CA Authorize
Example
1. Combine Cert
c:\OpenSSL-Win64\bin>openssl pkcs12 -export -out lm.pfx -inkey lm.key -in lm.cer -certfile lm_root.cer
2. Convert the pkcs12 into BASE64
c:\OpenSSL-Win64\bin> openssl base64 -in lm.pfx -out lm_pkcs12.pem
and Use lm_pkcs12.pem to install ASA side ?

For Azure
Can I use cert after Step 1(lm.pfx) to install Azure side ?

Milos_Jovanovic · ‎10-02-2023

For ASA/FTD, you only need lm.cer and lm_root.cer. No private key is required on FW side, as it just needs to validate signed data from Azure side, so step #2 contains too much information. However, you could import that one too, if it makes it easier to you.

On Azure side, yes, data from step #1 is ok. However, I've never used cert signed by RootCA for this, it was always the self-signed one, so I have no idea will it work like this. You can try and share your experience.

Kind regards,

Milos

jewfcb001 · ‎10-03-2023

@Milos_Jovanovic
For this command "openssl pkcs12 -export -out lm.pfx -inkey lm.key -in lm.cer -certfile lm_root.cer"
If i not use command -inkey xxx.key command not work

Milos_Jovanovic · ‎10-03-2023

Why do you need it? If you want to use certificate and its root, you can simply stack them in Notepad. In Base64 format, keep certificate on top, and bellow add RootCA in a single file. Something like:

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

-----BEGIN ROOT CERTIFICATE-----

-----END ROOT CERTIFICATE-----

Kind regards,

Milos

jewfcb001 · ‎10-03-2023

@Milos_Jovanovic
Oh!! I'm clear . Thank you so much.

jewfcb001 · ‎10-03-2023

@Milos_Jovanovic
I have small question . I try to convert file .cer to .pem(root.cert and cert from CA) and install on CLI ASA but not working
What is the root cause ?

Milos_Jovanovic · ‎10-03-2023

How are you installing it? Try using "crypto ca authenticate TrustPointName".

Kind regards,

Milos

jewfcb001 · ‎10-03-2023

@Milos_Jovanovic
I try to use CLI command and must combine cert + private key first and root , It's working fine. Is it first CSR or not ? But I try no command key cannot generate CSR.

openssl req -new -sha256 -out request.csr -newkey rsa:2048 -keyout privatekey.key -config req.cnf

-----BEGIN PKCS12-----
cert+key
-----END PKCS12-----
-----BEGIN PKCS12-----
root
-----END PKCS12-----

Milos_Jovanovic · ‎10-03-2023

Not sure I'm following... If you are following my advice, then you don't need PKCS12 there. On ASA, you need only certificate (plus chain) in Base64 (like PEM), and not private key. If you are importing just that one, then you should use something like this:

crypto ca trustpoint Microsoft.Azure
enrollment terminal
no ca-check
!
crypto ca authenticate Microsoft.Azure
!

You don't need to use "crypto ca import" command. If you however want to import private key, then you need PKCS with certificate and key.

CSR is just signing request, and you do not use it when combining cert for ASA (once CSR is signed, it becomes cert).

Kind regards,

Milos

jewfcb001 · ‎10-04-2023

@Milos_Jovanovic
Okay , I got your point . For trustpoint sp Can I use same procedure ?

Milos_Jovanovic · ‎10-04-2023

For SP part you need to go with "import X pkcs12" option, as that one must contain identity certificate along with private key (this is how ASA/FTD presents itself to the outside world.

Kind regards,

Milos

jewfcb001 · ‎10-04-2023

@Milos_Jovanovic
Thank you so much for good advise.