Solved: Re: Anyconnect VPN with SAML Authentication

RedTyson · ‎05-09-2019

Hi,

I have an issue with SAML authentication method.

If I tried to enter via VPN into my company I see this message:

May 09 15:51:53 [Lasso] func=xmlSecOpenSSLEvpSignatureVerify:file=/local/jenkins_engci_sjc/workspace/team_SSP/fxplatform/Builds/release__2.4.1_fcs_greenwich/build-smp-compile/fxos/linux/wrlinux/bitbake_build/tmp/work/corei7-64-wrs-linux/xmlsec1/1.2.20-r1/xmlsec1-1.2.20/src/openssl/signatures.c:line=493:obj=rsa-sha1:subj=EVP_VerifyFinal:error=18:data do not match:signature do not match

May 09 15:51:53 [SAML] consume_assertion: The profile cannot verify a signature on the message

[saml] webvpn_login_primary_username: SAML assertion validation failed.

Without SAML authentication the VPN goes up correctly.

#Confg

saml idp IDP_SSO_PRD
url sign-in https://xxx
base-url https://xxx
trustpoint idp saml-trust
trustpoint sp SAML-AUTH
signature rsa-sha256
force re-authentication

Thanks

Francesco Molino · ‎05-21-2019

I'll review your files in the coming days.

In the meantime have you opened a tac case with Cisco and/or your saml provider?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎05-09-2019

Hi

This is usually a certificate issue.
Have you verified your certificate? If so, you can try to disable and re-enable the SAML IdP (or reboot the box). I know there was a bug that you needed to do these extra steps to refresh the new changes.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

RedTyson · ‎05-10-2019

The IDP certificate is trusted.

Also the ASA certificate must be trusted?

Thanks.

Francesco Molino · ‎05-11-2019

The only thing is to create a trustpoint for the saml provider certificate on the asa and use it when configuring your asa.

Which saml provider are you using?
What version of asa are you running?

Here some config examples:
https://community.rsa.com/docs/DOC-99759

https://duo.com/docs/ciscoasa-sso

This is quite straight forward.
Do you have any logs on your provider side?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

RedTyson · ‎05-13-2019

Hy,

my ASA version is 9.10(1)17

The IDP is SAP NetWeaver 7.3 Java.

IDP's log said "Login OK" but ASA side I see always:

May 13 16:46:04 [Lasso] func=xmlSecOpenSSLEvpSignatureVerify:file=/local/jenkins_engci_sjc/workspace/team_SSP/fxplatform/Builds/release__2.4.1_fcs_greenwich/build-smp-compile/fxos/linux/wrlinux/bitbake_build/tmp/work/corei7-64-wrs-linux/xmlsec1/1.2.20-r1/xmlsec1-1.2.20/src/openssl/signatures.c:line=493:obj=rsa-sha1:subj=EVP_VerifyFinal:error=18:data do not match:signature do not match

I looked at SAML's guide and seems easy to configure but I cannot understand what I miss.

Francesco Molino · ‎05-13-2019

Can you run a debug webvpn sam on ASA to see what's going on?

Can you export the DART log file to see if some specific error can be seen on the client side?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

RedTyson · ‎05-14-2019

I attached some debug files.

New Dart file "_0516_1637"

Francesco Molino · ‎05-19-2019

What I see is an error of signature not matching using sha1 where you were using sha256 at the beginning.

What the full process:
- you got asa webpage
- you're then redirected to IdP
- you authenticate
- This step is where you get the error right? Is there any redirection done?

Can you run a wireshark on the client to see what's happening exactly?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

RedTyson · ‎05-20-2019

I tried to change signature algorithm but without success.

I created "Profile" directory under the AnyConnect directory and put XML file inside it.

I attached 2 files.

Thanks.

Francesco Molino · ‎05-21-2019

I'll review your files in the coming days.

In the meantime have you opened a tac case with Cisco and/or your saml provider?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

bhavik.sheth · ‎10-19-2021

what is the solution ?

Francesco Molino · ‎05-23-2019

I see traffic going to asa and my bad I asked you a wireshark on the client instead of capture directly on asa.
Can you do it again please?

Can you share in PM the IP of your IdP please?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

RedTyson · ‎05-30-2019

The idp IP is: 212.77.91.39

Unfortunatly I can't trace the traffic.

The buffer is always empty.

adamvanto · ‎10-14-2020

Can you please point me to the bug. I am getting the run around with TAC

lina.cao · ‎09-25-2019

Hi RedTyson, how did you finally fixed the issue?