Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
264
Views
0
Helpful
2
Replies

ASA SAML with Entra ID Issue

jf1134
Level 1
Level 1

‎06-27-2024 08:58 AM

Having an issue getting the SAML configuration working with Entra ID with a new ASA. I have one setup in our other Azure Tenant that works fine. It's an older ASAv. I went through the same setup process.

ASA Version: 9.20(2)10

When I am setting up the SSO server on the ASA it looks like there a new field that's not on the other one. Local Base URL. 

It seems like when I login, it's not able to contact Entra because it just prompts for a username and password and doesn't go to Secure Client Login

In Azure:
EntraID Identifier: https://public.domain.com/saml/sp/metadata/Support
Reply URL: https://public.domain.com/+CSCOE+/saml/sp/acs?tgname=Support

 

Labels:
0 Helpful
2 Replies 2

jelloyd
Cisco Employee
Cisco Employee

‎07-08-2024 01:02 PM

If the autentication challenge is just asking for username/password through the AnyConnect GUI itself, then it's not invoking SAML authentication, which will pop up in separate AnyConnect embedded browser window.  This tells me that it may be hitting the wrong tunnel-group (connection profile), where SAML is not enabled.
 
Can you check that the client's XML profile is configured to connect to the right tunnel-group on the headend VPN device?  It will be in the <HostEntry> section at the end of the XML profile, and should looke something like this:
 
<HostEntry>
<HostName>VPN Connection</HostName>
<HostAddress>vpn-asa.company.com</HostAddress>
<UserGroup>AnyConnect_Group</UserGroup>
</HostEntry>
 
 And then check the tunnel-group configuration on the ASA to make sure that the group-url is setup correctly.  For instance, in the example above, the group-url would need to be:
 
 
If it still fails, can you gather the following debugs from the ASA when trying to conenct?
  
  debug webvpn saml 255
  debug aaa-common 255
0 Helpful
Customers Also Viewed These Support Documents