To be honest, I don't really remember what was the format. Thus, I've just tested this, and used following command:

openssl.exe pkcs12 -export -out cert.p12 -inkey M-softSAML.key -in M-softSAML.crt

And I managed to import it to AAD like this. I usually just hand it  over to Azure team, and they import it or reformat it, if needed.

Kind regards,

Milos

When we create multiple app for multiple tunnel group from the below marked section on each app ( anyconnect ) it creates different cert.

With which cert we should use to import the same at each app of below attached image  ?

If version is 7.1+ , you can just download  2 Cert as u marked and import at FTD side and use override option. In this way u do not require an additional common cert to import at Azure for each app.

@MSJ1 that looks promising - I haven't used that feature before.

My use case is an FMC-managed FTD 7.2.4 with a primary and backup ISP. The existing RA VPN is using SAML. We want end users to automatically failover to a second connection profile when the primary is not available. We can easily do the failover with a VPN profile xml file that identifies the backup server. However it will have a unique VPN FQDN that we need to create a second Azure AD (Entra ID) enterprise application instance. As I understand it, I can simply download the certificate from that second instance and select it for the connection profile once I select the "Override Identity Provider Certificate" option under the AAA settings (where I have already told the profile to use SAML with the existing working Azure AD SSO provider).

told the profile to use SAML with the existing working Azure AD SSO provider  -- Yes thats because I think you have One Tenant at Azure

And Yes use Override Option and better to use embedded browser as well. Specially if you are using mobile vpn , OS Browser option will give you trouble for mobile vpn.

In your case , for backup ISP , FQDN is different than the Other One  ?

Hello Nenad,

I have deposited my own certificate as described and also added this to the device via FMC. Unfortunately, I still get the error message "Duplicate Identity Provider Entity ID." during deployment as soon as I want to add a second AzureAD SAML SSO server to a second tunnel group.
Do you have an idea why it could be or could you possibly share your settings with me?

Thanks for your support.

Hi Sebastian,

You need to use one SAML SSO server for both tunnel groups

Nenad

Hi @KR769,

Yes, using externaly generated certificate which would then be used in multiple Azure Enterprise applications is a workaround for limitation where you are using IDP of a single tenant. And yes, I've already used this workaround in versions lower than 9.17 (I used it with 9.12, 9.13 and 9.16).

BR,

Milos

Hi Milos,

Thank you so much for responding to my post and confirming that the workaround works with software versions lower than 9.17. This is a huge help and I really appreciate it!

Hello @Milos_Jovanovic 

Refer to the bug  CSCvi29084 , If I have One Tenant , Solution 2 is not a possibility for me right  ?

Solution 2 Maintain different IDP entity IDs for different IDP certificates on IDP Server.

Can anyone clarify if the "Workaround solution 1" described in CSCvi29084 is the same as using an external certificate as discussed in this thread? -- Yes