Hi Francesco,

Thank you for the help. I Configured all the profiles in IDP server with single certificate and it did the magic. All the tunnel groups working fine now!!

Really appreciate it and you save my day because tomorrow is my POC presentation

Thanks

Do individual Azure apps need to be created for each tunnel group or can they all be under a single app?

Not sure i got your point. You want use 1 iDP for multiple tunnels? Yes you can do that.
You can also have multiple iDP. There's a bug for this

hello Francesco,

could you sharwe the configuration on the multiple iDP, please from what i understand that done on the tunnel group rigth?

tunnel-group AC-SAML webvpn-attributes
saml identity-provider https://sts.windows.net/xxxxxxxxxxxxx/
authentication saml
end

you can specify a new one for every tunnel group could you confirm if am rigth or tell me how to doit.

and how could you use only one iDP for multiple groups?

thanks for the help by the way.

hello @Francesco Molino,

i'm really confused about this issue
I want use 1 iDP for multiple tunnels but can't understand know, i've configured my first tunnel group and the mfa process works fine, what should i do to set up the other tunnel-groups?
i just need to change the Entity ID and reply URL at step 7 of this guide like this:

a. Identifier (Entity ID)  - https://<VPN URL>/saml/sp/metadata/<TUNNEL-GROUP NAME2> 

 b. Reply URL (Assertion Consumer Service URL) - https://<VPN URL>/+CSCOE+/saml/sp/acs?tgname=<TUNNEL-GROUP NAME2> 

a. Identifier (Entity ID)  - https://<VPN URL>/saml/sp/metadata/<TUNNEL-GROUP NAME3> 

 b. Reply URL (Assertion Consumer Service URL) - https://<VPN URL>/+CSCOE+/saml/sp/acs?tgname=<TUNNEL-GROUP NAME3> 

or need to do something more?

regarding this sentence: All tunnel groups should be re-enabled to use new SAML IDP config. , i can do it just entering:
show run tunnel-group
conf t
tunnel-group webvpn-attributes
no saml identity-provider
saml identity-provider
end

is there a way to re enable it via GUI?

@Francesco Molino 

Not sure i got your point. You want use 1 iDP for multiple tunnels? Yes you can do that. -- refer to your this statement can you suggest how to do that  ? if you suggest to use - Maintain different IDP entity IDs for different IDP certificates on IDP Server. how to do that as entity ID for one tenant will always be same. 

Hi @MSJ1,

Please go through entire thread, especially starting from this post onwards. Youll see explanation there. On ASA/FTD, you'll have single IDP, while on Azure, you'll have multiple Enterprise Apps, with different ACS URLs, which will corespond to your FW's tunnel-groups.

Kind regards,

Milos

@Milos_Jovanovic 

Hello Milos, do you think Override IDP Certificate Option in a Single Tenant environment is a fix from FMC 7.1.0 ?

Hello Francesco,

I'm facing the same issue. Could you please share the configurations details you did on AZURE to fix the problem.

Thanks,

Hi @cusco,

I know this is an old thread but I'm not finding any documentation that covers using a single cert for multiple tunnel groups so I was hoping you could post how you were able to configure the profiles in Azure to use a single cert from Azure for multiple tunnel groups.   Thanks!

Hi @stevenkrose,

When defining an Enterprise app on Azure side, you need to manually define/upload same certificate you are using for all other VPN tunnel-groups, and also same one defined on ASA.

If you follow this guide, in step 8, instead of downloading certificate from Azure and importing it to ASA, there is an option to upload your certificate and private key (don't have access to Azure, and I don't remember it from the top of my head, it could be that it has to be a single file, e.g. PKSC#12 or PFX).

BR,

Milos

Hi @Milos_Jovanovic,

Thank you for the reply!

Just so I understand correctly - 

I have two VPN tunnel groups configured on the ASA - Tunnel-group1 & Tunnel-group2

In Azure, I create the AnyConnect app in Azure (following the guide you linked).  At step 7 I have to specify a tunnel group name for the entity ID and reply url - tunnel-group1 in this example

Then, at step 8, instead of downloading a cert I need to upload a cert for tunnel-group2.  Which cert?  A cert from the ASA or a cert that I generate from Azure?

Thank you again for any help!