@Milos_Jovanovic,

Thank you for the clarification!  I'll give it a try and update the thread

Yes - please do let us know.

I have been waiting to do the same for one of my customers who has multiple connection profiles (tunnel-groups) that they would like to have all use SAML with Azure AD as the iDP.

Hi @Marvin Rhoads,

I already did it for two of my customers, and this is definitelly a way forward.

BTW, it works flawleslly, and customer experience is great (as per their feedback).

BR,
Milos

Update: 

@Milos_Jovanovic solution works

Following the guide Milos posted earlier with the changes below:

In Azure you need to create an app for each tunnel group

Upload the 3rd party cert to each app

Install the 3rd party cert on the ASA

@Milos_Jovanovic @stevenkrose 

I am getting hard time to know with what attribute I would generate the cert. Please help. Like what will be CN name and SAN entry for that externally generated cert. ?

Hi @MSJ1,

You can pretty much put whatever you want there, for as long as both parties are trusting it

I usually keep same approach as Microsoft is doing, with my customization:

CN = Microsoft Azure Federated SSO Certificate
O = Organization_Name
L = Some_Location
C = Some_Country_2_Letter_mark (e.g. RS)

I don't have any SANs inside, as neither original one has. You can export original cert from Azure, and try to replicate it.

Kind regards,

Milos

@stevenkrose @Milos_Jovanovic 
Could you please provide the openSSL syntax you used to generate the cert? I found the following in a different thread (attached to the bug) 

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout MyPrivKey.key -out MyCert.crt
openssl pkcs12 -inkey MyPrivKey.key -in MyCert.crt -export -out Azure_SAML_for_Cisco_Anyconnect.pfx

I'm about to implement the fix myself during a change window and just want to be 100% sure as unfortunately we don't have a lab were doing it live! 

Thank you.

Hi @ROTTO84,

Here are the commands we used.  I changed the .pem & .pfx file names to show where they get installed

First part creates the config file for the request

cat << EOF > req.conf
[req]
distinguished_name = req_distinguished_name
prompt = no
[req_distinguished_name]
C = Country
ST = State
L = City
O = Organization
OU = Dept
CN = Common Name
EOF

openssl req -newkey rsa:2048 -nodes -keyout My-ASA-Key.pem -x509 -sha256 -days 365 -config req.conf -out My-ASA-Cert.pem
openssl pkcs12 -export -inkey My-ASA-Key.pem -in My-ASA-Cert.pem -name AnyConnect-Azure -out My-Azure-Key-Cert-Pair.pfx

@stevenkrose,

THANK YOU, THANK YOU, THANK YOU. i can't say it enough. I just wanted to add a few gotchas for anyone else.  YMMV but trying to be as helpful as possible.

1. Req.conf | You will need a linux VM I used CentOS without issue didn't have to install anything besides openssl which usually comes installed. Make sure you fill out the common name with your VPN address.
Example:
cat << EOF > req.conf
[req]
distinguished_name = req_distinguished_name
prompt = no
[req_distinguished_name]
C = US
ST = MN
L = Minneapolis
O = mycompany
OU = IT
CN = vpn.mycompany.com
EOF

Simply paste it into the terminal and a req.conf file will appear. The first time I didn't I got random errors that would still create the initial .pem file but when I went to make the PFX it would throw more errors and not complete. After filling it out correctly the files were created and when you create the PFX it will ask you to enter a passphrase then just simply copy them out using something like WinSCP.

2. This was my mistake, when you upload the certificate to the enterprise app don't forget to activate it for an hour I spent wondering why I was getting an insertion error. I realized if you upload it, it shows up but doesn't activate. You can right click the cert and select "activate" it only takes a seconds and when you leave the window the app will ask if you want to test out your SAML sleect no.

3. For some reason anyconnect disabled itself. Not sure if this was a bug or what happened but again threw me for a loop. After uploading the new cert and tieing it to the IDP in ASDM and removing the idp address and adding it back due to the SAML bug I was greeted with "Anyconnect is not enabled on VPN server" I googled the error and what I found was completely wrong telling you to check the group policy to ensure SSL-Client was enabled. The true fix was simply

conf t
webvpn
anyconnect enable 

once completed everything started working.

@Milos_Jovanovic,

Thank you so much for figuring this solution out, I spent nearly 3 weeks with Cisco and they were right it was a cert issue and told me to reach out to Microsoft and Microsoft said they are in the planning stages of releasing the ability to have user defined entity IDs they are hoping for Q2  of 2022 but nothing has been started yet. Regardless I was still not at a working solution.

I hope Cisco adapts this as a workaround because IT WORKS!

Thanks @stevenkrose for the response . I am trying to deliver the same solution on FTD and have generated the Cert Key pair PFX . Since I already created a IDP on FTD using the cert provided from Azure , should I delete and ask them to recreate a new instance or they can upload the PFX on the current Azure instance .

hello Milos,

im not really go with the certificates part but basiccly i can generate a certificate on openssl an use this one on both sides?

and after that that the Certificate part but what about the  SAML iDP url does it match after that?

and does the sing-in and out url match all the time? or in every new azure app do they change?

thanks for the help by the way.

Hello Milos,

i'm hitting the same cookies issue, do you know if this problem has been fixed?
i've a firepower 2100 running version 7.0.4 , azure is managed by my customer but he's not very practical...
i'd like to use only a single idp ID and multiple tunnel groups....
i can't understand which certificate i should create and import on azure, am i also forced to create multiple anyconnect instances on azure on i can only one?
i'm also confused about this sintax:

show run tunnel-group
conf t
tunnel-group webvpn-attributes
no saml identity-provider
saml identity-provider
end

i have to use it excaclty or i need to specify the tunnel-group name?

Hello.

Thank you for tip, it really works well! But I’ve a question, are there any explanation for why reason it doesn’t work with “multi-tunnel group” if I don’t upload my own certificate (External SSL Certificate) to Azure app? I’m not understanding why reason it doesn’t work if I don’t upload … I have understood that one reason is, if there aren’t my certificate, the Azure will auto-generate a certificate without a private key, therefore, I can’t upload this one on Azure…So, why reason an auto-generate cert works to only one tunnel group, but doesn’t work when I try to one multi tunnels? I’m confused yet why reason upload a cert (third party) solve the issue for multi tunnel.

Regards.

I tried this with a customer this morning and for some reason Azure AD (now known as Entra ID) did not accept the upload of his certificate + private key .pfx (PKCS12 format). Are there any special tips on how the Azure signing certificate for must be created?