Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1055
Views
0
Helpful
1
Replies

AnyConnect4.9 SSO to ADFS Failed (FMC version 7.0.1 FTD version 6.6.5)

Go to solution
MTermeer
Level 1
Level 1

‎11-06-2021 03:29 AM

Hi,

We are trying to configure AnyConnect client4.9 with SSO to onprem ADFS, via the FMC (version 7.01) on a FTD1010 (version 6.6.5). Unfortunately we keep getting errors.
When starting to connect with AnyConnect:

1. Start AnyConnect client to URL Service Provider. 

2. Browser pop up; we can login to authenticate (name/password is accepted).

3. After that we get a error notification on the client: "Authentication failed due to problem retrieving the single sign-on cookie."

 

The FMC GUI gives in the VPN Troubleshooting menu: "Failed to consume SAML assertion. reason: Status code is not succes."

The FTD CLI  debug 255 gives the following errors:

lsec1-1.2.20/src/openssl/signatures.c:line=493:obj=rsa-sha256:subj=EVP_VerifyFinal:error=18:data do not match:signature do not match

Nov 06 10:14:39 [SAML] consume_assertion: Status code is not success
Nov 06 10:14:39
[SAML] consume_assertion:

[saml] webvpn_login_primary_username: SAML assertion validation failed

We found an older bug report (CSCvi23605) about a similar error and deleted and recreated the SSO SAML server config, but with no succes.

 

Please advise how to solve this problem. 

Thanx in advance!

MT

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
m.termeer
Level 1
Level 1

‎11-09-2021 07:32 AM

Never mind, I found the solution. It appears that I used the wrong certificate. When using MS ADFS(2.0), you need for the IdP certificate the one that's registred under the ADFS-Certificates-Token-signing. 

I used the general certificate from our ADFS. 

Besides that mistake, I also had to update the Relaying Party Trust after some changes. It's an Action in the right column, or under your right-mouse button. (It had an yellow warning sign).

 

hope it helps someone else.

greetz

 

View solution in original post

0 Helpful
1 Reply 1

Go to solution
m.termeer
Level 1
Level 1

‎11-09-2021 07:32 AM

Never mind, I found the solution. It appears that I used the wrong certificate. When using MS ADFS(2.0), you need for the IdP certificate the one that's registred under the ADFS-Certificates-Token-signing. 

I used the general certificate from our ADFS. 

Besides that mistake, I also had to update the Relaying Party Trust after some changes. It's an Action in the right column, or under your right-mouse button. (It had an yellow warning sign).

 

hope it helps someone else.

greetz

 

0 Helpful
Customers Also Viewed These Support Documents