11-06-2021 03:29 AM
Hi,
We are trying to configure AnyConnect client4.9 with SSO to onprem ADFS, via the FMC (version 7.01) on a FTD1010 (version 6.6.5). Unfortunately we keep getting errors.
When starting to connect with AnyConnect:
1. Start AnyConnect client to URL Service Provider.
2. Browser pop up; we can login to authenticate (name/password is accepted).
3. After that we get a error notification on the client: "Authentication failed due to problem retrieving the single sign-on cookie."
The FMC GUI gives in the VPN Troubleshooting menu: "Failed to consume SAML assertion. reason: Status code is not succes."
The FTD CLI debug 255 gives the following errors:
lsec1-1.2.20/src/openssl/signatures.c:line=493:obj=rsa-sha256:subj=EVP_VerifyFinal:error=18:data do not match:signature do not match
Nov 06 10:14:39 [SAML] consume_assertion: Status code is not success
Nov 06 10:14:39
[SAML] consume_assertion:
[saml] webvpn_login_primary_username: SAML assertion validation failed
We found an older bug report (CSCvi23605) about a similar error and deleted and recreated the SSO SAML server config, but with no succes.
Please advise how to solve this problem.
Thanx in advance!
MT
Solved! Go to Solution.
11-09-2021 07:32 AM
Never mind, I found the solution. It appears that I used the wrong certificate. When using MS ADFS(2.0), you need for the IdP certificate the one that's registred under the ADFS-Certificates-Token-signing.
I used the general certificate from our ADFS.
Besides that mistake, I also had to update the Relaying Party Trust after some changes. It's an Action in the right column, or under your right-mouse button. (It had an yellow warning sign).
hope it helps someone else.
greetz
11-09-2021 07:32 AM
Never mind, I found the solution. It appears that I used the wrong certificate. When using MS ADFS(2.0), you need for the IdP certificate the one that's registred under the ADFS-Certificates-Token-signing.
I used the general certificate from our ADFS.
Besides that mistake, I also had to update the Relaying Party Trust after some changes. It's an Action in the right column, or under your right-mouse button. (It had an yellow warning sign).
hope it helps someone else.
greetz
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide