08-24-2020 03:34 PM
Hi ALL,
I tried to add multiple (5) tunnel groups to Azure AD via SAML. I got no problem to add a single tunnel group. Issue here is I can't add another SAML server (for other tunnel groups) with the same Azure AD Identifier (since all the Enterprise Applications located under the same Azure tenant).
I tried to tweak the identifier by adding the port (https://xxxx:443) in the URL but it doesn't work. So for now, only one of the tunnel groups is working. I only can think about creating a separate tenant for each tunnel group (So, the Identifier will be different) but this is totally wrong method.
Has anyone else run into this situation? Any suggestions?
Thanks
Solved! Go to Solution.
07-17-2023 10:37 AM
What is the FTD version you have ? Starting in FTD 7.1+, the override ability in AAA configuration allows us to use a different IDP certificate, in this case you can down load 2 unique cert which will be created automatically at azure side from each app. In that case you do not need to add cert at azure side.
08-03-2023 12:16 AM
To be honest, I don't really remember what was the format. Thus, I've just tested this, and used following command:
openssl.exe pkcs12 -export -out cert.p12 -inkey M-softSAML.key -in M-softSAML.crt
And I managed to import it to AAD like this. I usually just hand it over to Azure team, and they import it or reformat it, if needed.
Kind regards,
Milos
06-07-2023 11:13 AM
When we create multiple app for multiple tunnel group from the below marked section on each app ( anyconnect ) it creates different cert.
With which cert we should use to import the same at each app of below attached image ?
07-17-2023 11:12 AM
If version is 7.1+ , you can just download 2 Cert as u marked and import at FTD side and use override option. In this way u do not require an additional common cert to import at Azure for each app.
07-18-2023 07:57 AM
@MSJ1 that looks promising - I haven't used that feature before.
My use case is an FMC-managed FTD 7.2.4 with a primary and backup ISP. The existing RA VPN is using SAML. We want end users to automatically failover to a second connection profile when the primary is not available. We can easily do the failover with a VPN profile xml file that identifies the backup server. However it will have a unique VPN FQDN that we need to create a second Azure AD (Entra ID) enterprise application instance. As I understand it, I can simply download the certificate from that second instance and select it for the connection profile once I select the "Override Identity Provider Certificate" option under the AAA settings (where I have already told the profile to use SAML with the existing working Azure AD SSO provider).
07-19-2023 08:37 PM
told the profile to use SAML with the existing working Azure AD SSO provider -- Yes thats because I think you have One Tenant at Azure
And Yes use Override Option and better to use embedded browser as well. Specially if you are using mobile vpn , OS Browser option will give you trouble for mobile vpn.
In your case , for backup ISP , FQDN is different than the Other One ?
10-05-2021 01:15 PM - edited 10-05-2021 01:57 PM
Works on the FMC as well. Cert My-ASA-Cert.pem needs to be added manually (like the Azure cert) and then added into Devices-Certificates. Thanks a lot!
10-18-2021 10:52 PM
Hello Nenad,
I have deposited my own certificate as described and also added this to the device via FMC. Unfortunately, I still get the error message "Duplicate Identity Provider Entity ID." during deployment as soon as I want to add a second AzureAD SAML SSO server to a second tunnel group.
Do you have an idea why it could be or could you possibly share your settings with me?
Thanks for your support.
10-22-2021 06:54 AM
Hi Sebastian,
You need to use one SAML SSO server for both tunnel groups
Nenad
09-28-2022 05:29 PM
Hi All,
Sorry for resurrecting this thread after 1 year.
Can anyone clarify if the "Workaround solution 1" described in CSCvi29084 is the same as using an external certificate as discussed in this thread?
If so, has anyone got this working on an ASA software version lower than 9.17(x)?
TAC advised that I need 9.17(x) or higher to support the workarounds, but I'm not so sure about that. Unfortunately, 9.16(x) is the last release supported on my 5516-X.
Thanks!
09-28-2022 11:13 PM
Hi @KR769,
Yes, using externaly generated certificate which would then be used in multiple Azure Enterprise applications is a workaround for limitation where you are using IDP of a single tenant. And yes, I've already used this workaround in versions lower than 9.17 (I used it with 9.12, 9.13 and 9.16).
BR,
Milos
09-29-2022 07:02 AM
Hi Milos,
Thank you so much for responding to my post and confirming that the workaround works with software versions lower than 9.17. This is a huge help and I really appreciate it!
06-13-2023 11:57 AM
Hello @Milos_Jovanovic
Refer to the bug CSCvi29084 , If I have One Tenant , Solution 2 is not a possibility for me right ?
Solution 2 Maintain different IDP entity IDs for different IDP certificates on IDP Server.
06-07-2023 11:49 AM
Can anyone clarify if the "Workaround solution 1" described in CSCvi29084 is the same as using an external certificate as discussed in this thread? -- Yes
12-15-2022 05:33 AM
Hello all.
Thank you for tip, it really works well! But I’ve a question, are there any explanation for why reason it doesn’t work with “multi-tunnel group” if I don’t upload my own certificate (External SSL Certificate) to Azure app? I’m not understanding why reason it doesn’t work if I don’t upload … I have understood that one reason is, if there aren’t my certificate, the Azure will auto-generate a certificate without a private key, therefore, I can’t upload this one on Azure…So, why reason an auto-generate cert works to only one tunnel group, but doesn’t work when I try to one multi tunnels? I’m confused yet why reason upload a cert (third party) solve the issue for multi tunnel.
Regards.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide