Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
55307
Views
57
Helpful
47
Replies

Anyconnect with Azure SAML SSO - Cannot add multiple tunnel group

Go to solution
cusco
Level 1
Level 1

‎08-24-2020 03:34 PM

Hi ALL,

 

I tried to add multiple (5) tunnel groups to Azure AD via SAML. I got no problem to add a single tunnel group. Issue here is I can't add another SAML server (for other tunnel groups) with the same Azure AD Identifier (since all the Enterprise Applications located under the same Azure tenant).

 

I tried to tweak the identifier by adding the port (https://xxxx:443) in the URL but it doesn't work. So for now, only one of the tunnel groups is working. I only can think about creating a separate tenant for each tunnel group (So, the Identifier will be different) but this is totally wrong method.

 

Has anyone else run into this situation? Any suggestions?

 

Thanks

Capture.JPG

6 people had this problem
Labels:
0 Helpful
47 Replies 47

Go to solution
Milos_Jovanovic
VIP Alumni
VIP Alumni
In response to CSCO12052314

‎12-15-2022 05:53 AM

Each Azure app will automatically generate its own certificate, which you are supposed to import on your ASA/FTD. However, on ASA, when configuring SAML IdP, you must use your Azure tenant ID (e.g. saml idp https://sts.windows.net/XXX/). There was a limitation on ASA that you can't use name different then your tenant ID. But here, you do not differentiate Azure apps, as all of them still have same tenant ID, while at same time, you can only import one certificate under one IdP. So, it all comes down to a fact that on Azure side you have multiple apps, with multiple certificates, while on ASA you can only have one tenant, with  a single certificate, which is why you must generate certificate externally, and import it to both ASA and all Azure apps that this ASA will use.

Now, starting from ASA v9.17, it is possible to use multiple IDP trustpoints per SAML IDP configuration for applications that support multiple applications for the same Entity ID. I haven't tried this myself, but it looks like something which would overcome described problem.

Kind regards,

Milos

Go to solution
CSCO12052314
Level 1
Level 1
In response to Milos_Jovanovic

‎12-16-2022 04:10 AM

Hello.

Thank you for your reply, it's totally clear to me now.

Regards

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Milos_Jovanovic

‎11-04-2024 07:41 AM

FYI I finally had a use case to use the multiple IDP trustpoints and it worked perfectly on the first try! Posting to this older thread to bring readers searching for this solution up to speed.

We just tell the second (third etc.) VPN profile (tunnel-group as it's known in the cli) to "Override Identity Provider Certificate" and instead use one that we have downloaded from the second Entra ID enterprise application instance and enrolled onto the device as a CA-only certificate.

That selection is found in FMC under Edit Connection Profile menu, AAA tab.

0 Helpful
Customers Also Viewed These Support Documents