08-24-2020 03:34 PM
Hi ALL,
I tried to add multiple (5) tunnel groups to Azure AD via SAML. I got no problem to add a single tunnel group. Issue here is I can't add another SAML server (for other tunnel groups) with the same Azure AD Identifier (since all the Enterprise Applications located under the same Azure tenant).
I tried to tweak the identifier by adding the port (https://xxxx:443) in the URL but it doesn't work. So for now, only one of the tunnel groups is working. I only can think about creating a separate tenant for each tunnel group (So, the Identifier will be different) but this is totally wrong method.
Has anyone else run into this situation? Any suggestions?
Thanks
Solved! Go to Solution.
08-12-2021 12:14 AM
Hi @stevenkrose,
A certificate that you need to upload here must match on both ends, ASA and Azure. In this guide, cert is being auto-generated on Azure side, downloaded from Azure portal, and then uploaded to ASA. Caveat with this process is that you download only certificate, not the private key from Azure side, meaning that you can't re-upload it again to Azure.
You need to generate certificate externally, in order to have private key and certificate with you. I usually generate this from OpenSSL, and then import it to both Azure and ASA (with proper formating, but OpenSSL supports it all). You can export certificate from Azure, so you can see which options you need to include inside certificate, generate your own pair of private key and certificate, and then replace it on Azure side for all VPN-related applications.
BR,
Milos
08-12-2021 06:52 AM
@Milos_Jovanovic,
Thank you for the clarification! I'll give it a try and update the thread
08-12-2021 10:22 AM
Yes - please do let us know.
I have been waiting to do the same for one of my customers who has multiple connection profiles (tunnel-groups) that they would like to have all use SAML with Azure AD as the iDP.
08-12-2021 10:37 PM
Hi @Marvin Rhoads,
I already did it for two of my customers, and this is definitelly a way forward.
BTW, it works flawleslly, and customer experience is great (as per their feedback).
BR,
Milos
08-13-2021 10:21 AM
Update:
@Milos_Jovanovic solution works
Following the guide Milos posted earlier with the changes below:
In Azure you need to create an app for each tunnel group
Upload the 3rd party cert to each app
Install the 3rd party cert on the ASA
06-07-2023 11:38 AM
I am getting hard time to know with what attribute I would generate the cert. Please help. Like what will be CN name and SAN entry for that externally generated cert. ?
06-07-2023 01:13 PM
Hi @MSJ1,
You can pretty much put whatever you want there, for as long as both parties are trusting it
I usually keep same approach as Microsoft is doing, with my customization:
CN = Microsoft Azure Federated SSO Certificate
O = Organization_Name
L = Some_Location
C = Some_Country_2_Letter_mark (e.g. RS)
I don't have any SANs inside, as neither original one has. You can export original cert from Azure, and try to replicate it.
Kind regards,
Milos
08-20-2021 12:01 PM - edited 08-20-2021 12:19 PM
@stevenkrose @Milos_Jovanovic
Could you please provide the openSSL syntax you used to generate the cert? I found the following in a different thread (attached to the bug)
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout MyPrivKey.key -out MyCert.crt
openssl pkcs12 -inkey MyPrivKey.key -in MyCert.crt -export -out Azure_SAML_for_Cisco_Anyconnect.pfx
I'm about to implement the fix myself during a change window and just want to be 100% sure as unfortunately we don't have a lab were doing it live!
Thank you.
08-20-2021 03:05 PM - edited 08-20-2021 03:08 PM
Hi @ROTTO84,
Here are the commands we used. I changed the .pem & .pfx file names to show where they get installed
First part creates the config file for the request
cat << EOF > req.conf
[req]
distinguished_name = req_distinguished_name
prompt = no
[req_distinguished_name]
C = Country
ST = State
L = City
O = Organization
OU = Dept
CN = Common Name
EOF
openssl req -newkey rsa:2048 -nodes -keyout My-ASA-Key.pem -x509 -sha256 -days 365 -config req.conf -out My-ASA-Cert.pem
openssl pkcs12 -export -inkey My-ASA-Key.pem -in My-ASA-Cert.pem -name AnyConnect-Azure -out My-Azure-Key-Cert-Pair.pfx
08-21-2021 10:50 PM - edited 08-21-2021 10:57 PM
THANK YOU, THANK YOU, THANK YOU. i can't say it enough. I just wanted to add a few gotchas for anyone else. YMMV but trying to be as helpful as possible.
1. Req.conf | You will need a linux VM I used CentOS without issue didn't have to install anything besides openssl which usually comes installed. Make sure you fill out the common name with your VPN address.
Example:
cat << EOF > req.conf
[req]
distinguished_name = req_distinguished_name
prompt = no
[req_distinguished_name]
C = US
ST = MN
L = Minneapolis
O = mycompany
OU = IT
CN = vpn.mycompany.com
EOF
Simply paste it into the terminal and a req.conf file will appear. The first time I didn't I got random errors that would still create the initial .pem file but when I went to make the PFX it would throw more errors and not complete. After filling it out correctly the files were created and when you create the PFX it will ask you to enter a passphrase then just simply copy them out using something like WinSCP.
2. This was my mistake, when you upload the certificate to the enterprise app don't forget to activate it for an hour I spent wondering why I was getting an insertion error. I realized if you upload it, it shows up but doesn't activate. You can right click the cert and select "activate" it only takes a seconds and when you leave the window the app will ask if you want to test out your SAML sleect no.
3. For some reason anyconnect disabled itself. Not sure if this was a bug or what happened but again threw me for a loop. After uploading the new cert and tieing it to the IDP in ASDM and removing the idp address and adding it back due to the SAML bug I was greeted with "Anyconnect is not enabled on VPN server" I googled the error and what I found was completely wrong telling you to check the group policy to ensure SSL-Client was enabled. The true fix was simply
conf t webvpn anyconnect enable
once completed everything started working.
@Milos_Jovanovic,
Thank you so much for figuring this solution out, I spent nearly 3 weeks with Cisco and they were right it was a cert issue and told me to reach out to Microsoft and Microsoft said they are in the planning stages of releasing the ability to have user defined entity IDs they are hoping for Q2 of 2022 but nothing has been started yet. Regardless I was still not at a working solution.
I hope Cisco adapts this as a workaround because IT WORKS!
02-22-2023 02:31 PM
Thanks @stevenkrose for the response . I am trying to deliver the same solution on FTD and have generated the Cert Key pair PFX . Since I already created a IDP on FTD using the cert provided from Azure , should I delete and ask them to recreate a new instance or they can upload the PFX on the current Azure instance .
10-26-2021 10:17 AM
hello Milos,
im not really go with the certificates part but basiccly i can generate a certificate on openssl an use this one on both sides?
and after that that the Certificate part but what about the SAML iDP url does it match after that?
and does the sing-in and out url match all the time? or in every new azure app do they change?
thanks for the help by the way.
02-20-2023 02:05 AM
Hello Milos,
i'm hitting the same cookies issue, do you know if this problem has been fixed?
i've a firepower 2100 running version 7.0.4 , azure is managed by my customer but he's not very practical...
i'd like to use only a single idp ID and multiple tunnel groups....
i can't understand which certificate i should create and import on azure, am i also forced to create multiple anyconnect instances on azure on i can only one?
i'm also confused about this sintax:
show run tunnel-group
conf t
tunnel-group webvpn-attributes
no saml identity-provider
saml identity-provider
end
i have to use it excaclty or i need to specify the tunnel-group name?
12-14-2022 03:10 PM
Hello.
Thank you for tip, it really works well! But I’ve a question, are there any explanation for why reason it doesn’t work with “multi-tunnel group” if I don’t upload my own certificate (External SSL Certificate) to Azure app? I’m not understanding why reason it doesn’t work if I don’t upload … I have understood that one reason is, if there aren’t my certificate, the Azure will auto-generate a certificate without a private key, therefore, I can’t upload this one on Azure…So, why reason an auto-generate cert works to only one tunnel group, but doesn’t work when I try to one multi tunnels? I’m confused yet why reason upload a cert (third party) solve the issue for multi tunnel.
Regards.
07-17-2023 08:39 AM
I tried this with a customer this morning and for some reason Azure AD (now known as Entra ID) did not accept the upload of his certificate + private key .pfx (PKCS12 format). Are there any special tips on how the Azure signing certificate for must be created?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide