Solved: Anyconnect VPN SAML SSO with Multi-Tunnel Groups

jewfcb001 · ‎09-26-2023

Hi All ,
I found the information can deploy multi tunnel group but I confuse about configuration under webvpn
what is the attribute for saml idp / url sign-in / url-out ? because i have multi Azure APP for SAML Authen.
Please help me.

webvpn
 saml idp https://sts.windows.net/xxxxxxxxxxxxx/ (This is your Azure AD Identifier from the Set up Cisco AnyConnect section in the Azure portal)
 url sign-in https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxxx/saml2 (This is your Login URL from the Set up Cisco AnyConnect section in the Azure portal)
 url sign-out https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0 (This is Logout URL from the Set up Cisco AnyConnect section in the Azure portal)

https://community.cisco.com/t5/security-knowledge-base/anyconnect-vpn-saml-sso-with-azure-idp-multi-tunnel-groups/ta-p/4563095

Milos_Jovanovic · ‎09-26-2023

Hi @jewfcb001,

These parameters are basic parameters for setting up SSO. You get them from your Azure App, and they basically represent your tenant ID. You can find explanation in this Cisco document, as well as in Microsoft document. Please note that signout URL should be copied from app itself, as one described in Cisco document is outdated. These parameters are used globally, for all tunnel groups.

On the other end, each tunnel-group represent unique application and requires unique Reply URL to where assertion will be sent back.

Kind regards,

Milos

View solution in original post

Milos_Jovanovic · ‎09-26-2023

No, you don't configure unique applications as such under webvpn. Under webvpn section, you configure global parameters (and under tunnel group too). Applications are configured only under Azure side, and they reflect different tunnel-groups (consider them as applications on ASA side). Each tunnel-group has unique Entity ID and Reply URL.

Kind regards,

Milos

View solution in original post

jewfcb001 · ‎09-26-2023

Please help me.

Milos_Jovanovic · ‎09-26-2023

Hi @jewfcb001,

These parameters are basic parameters for setting up SSO. You get them from your Azure App, and they basically represent your tenant ID. You can find explanation in this Cisco document, as well as in Microsoft document. Please note that signout URL should be copied from app itself, as one described in Cisco document is outdated. These parameters are used globally, for all tunnel groups.

On the other end, each tunnel-group represent unique application and requires unique Reply URL to where assertion will be sent back.

Kind regards,

Milos

jewfcb001 · ‎09-26-2023

Hi @Milos_Jovanovic ,
Thank you for response. You mean parameter "saml idp / url sign-in / url-out" . Can I choose some application for configure under webvpn? Because tunnel-group separate by Identifier (Entity ID) , Reply URL (Assertion Consumer Service URL) . My understand correct ? before I think "saml idp / url sign-in / url-out" unique application

Thank you so much for answer.

Milos_Jovanovic · ‎09-26-2023

No, you don't configure unique applications as such under webvpn. Under webvpn section, you configure global parameters (and under tunnel group too). Applications are configured only under Azure side, and they reflect different tunnel-groups (consider them as applications on ASA side). Each tunnel-group has unique Entity ID and Reply URL.

Kind regards,

Milos

jewfcb001 · ‎09-27-2023

@Milos_Jovanovic
Thank you for help.

Milos_Jovanovic · ‎09-27-2023

You are welcome.

Just don't forget certificate part. When creating Azure App, each app is automatically created with its own certificate. However, on ASA side, given that SAML IDP is unique, you can use only one certificate. For that reason, you'll need to create your own certificate (via OpenSSL most often), and then provide it to Azure, to be imported under each app (all Azure VPN apps for same ASA must use same certificate).

It is written in the original post you provided, it is just not emphasized enough in my opinion.

Kind regards,

Milos

jewfcb001 · ‎09-27-2023

@Milos_Jovanovic
I have a small question about certificate on Azure. This part need generate and action on Azure only after that we get certificate from Azure I will install asa . Is it correct ?

Milos_Jovanovic · ‎09-27-2023

That is one way of doing it - you create app on Azure, you export certificate from that app and import it on ASA. Bad side of this approach is that each app automatically generates its own certificate, and on ASA, given that you have single IDP, you can invoke usage of only one certificate.

For that reason, and if you require multiple tunnel-groups to authenticate using SAML, you need to have multiple Azure apps, but ASA can still support single certificate for this. In order to mitigate this limitation, you can generate certificate externally (not rely on one generated automatically on Azure side), import that externally generated certificate to ASA, and also import that externally generated certificate on each Azure app which is used for different tunnel-groups.

Kind regards,

Milos

jewfcb001 · ‎09-27-2023

@Milos_Jovanovic
You mean . I must generate csr from 3rdparty (openssl) and sign with cert authorization or not ? In this step can i use same certificate with trustpoint sp
trustpoint idp AzureAD-AC-SAML
trustpoint sp (Trustpoint for SAML Requests - you can use your existing external cert here)

Milos_Jovanovic · ‎09-27-2023

Yes, you must generate CSR from 3rd party (such as OpenSSL), and you must sign it, but it doesn't need to be signed with trusted CA. I generate this as a self-signed certificate where I put same content as Microsoft does in auto-generated one. Easiest for you is to create Azure app, export cert from it, copy fields from original cert, and then generate self-signed one from OpenSSL with same content as original one. After that, go back to Azure and import it.

And yes, you must use this certificate as IDP certificate under webvpn section. For SP certificate, I usually use same certificate that is placed for AnyConnect, under outside, as this one needs to be signed by trusted/public CA. Otherwise, SSO redirection is broken.

Kind regards,

Milos

jewfcb001 · ‎09-27-2023

@Milos_Jovanovic

You mean . Download cert from azure first for see parameter fields such as CN,OU,C,..etc ? and sign to CA server and import to azure and same cert can import on ASA ? Do i need root ca ?

Milos_Jovanovic · ‎09-28-2023

Yes, download it just to see what is written inside (CN, OU, and similar, but also Key Usage, Extended Key Usage, etc.), and then generate self-signed cert via OpenSSL. You can find plethora of articles on how to do it. I personally use:

openssl.exe req -x509 -sha256 -key mykey.key -out mycert.cer -config myconfig.cfg -days 1825

With this, you must modify config file to have parameters as exported one. There are also single-liner options, without config file, so feel free to experiment a bit.

Kind regards,

Milos

jewfcb001 · ‎10-02-2023

@Milos_Jovanovic
Do I need combine the private key, signed certificate and root CA certificate (chain) into a single pkcs12 file ?

Milos_Jovanovic · ‎10-02-2023

For ASA/FTD side, you just need to import the certificate. For Azure side, you'll need to create PFX containing private key and certificate.

Kind regards,

Milos