Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2049
Views
0
Helpful
4
Replies

ASAv AnyConnect Azure SAML Integration

mumbles202
Level 5
Level 5

‎02-08-2023 05:40 PM - edited ‎05-06-2025 10:13 AM

I'm working on an ASAv deployed in Azure and had a working AnyConnect configuration using LDAP to a DC in Azure.  I tried to setup SAML with Azure AD today and while it appears to be partially working, users are unable to connect.  This is my configuration on the ASA:

 

webvpn
 port 444
 enable Outside
 http-headers
  hsts-server
   enable
   max-age 31536000
   include-sub-domains
   no preload
  hsts-client
   enable
  x-content-type-options
  x-xss-protection
  content-security-policy
 anyconnect image disk0:/anyconnect-win-4.10.03104-webdeploy-k9.pkg 1
 anyconnect enable
 saml idp https://sts.windows.net/GUID/
  url sign-in https://login.microsoftonline.com/GUID/saml2
  url sign-out https://login.microsoftonline.com/GUID/saml2
  base-url https://vpn.mydomain.com:444
  trustpoint idp AzureAD-AC-SAML
  trustpoint sp ASDM_TrustPoint0
  no signature
  no force re-authentication
 tunnel-group-list enable
 cache
  disable
 error-recovery disable
 
 
tunnel-group Group_VPN type remote-access
tunnel-group Group_VPN general-attributes
 address-pool SW-VPN-POOL
 default-group-policy GroupPolicy_Group_VPN
tunnel-group Group_VPN webvpn-attributes
 authentication saml
 group-alias Group_VPN enable
 saml identity-provider https://sts.windows.net/GUID/

And when a user launches AnyConnect it redirects to a Azure login page as expected.  After the user logs in (seems to want the full upn rather than just username) I see the following in a debug on the ASA:

 

[SAML] consume_assertion:
https://sts.windows.net/GUID/ username@mydomain.com
[saml] webvpn_login_primary_username: SAML assertion validation succeeded
webvpn_portal.c:webvpn_login_primary_password[3862]
webvpn_portal.c:webvpn_login_secondary_username[3892]
webvpn_portal.c:webvpn_login_secondary_password[3979]
webvpn_portal.c:webvpn_login_extra_password[4030]
webvpn_portal.c:webvpn_login_set_cookie_flag[4052]
webvpn_portal.c:webvpn_login_set_auth_group_type[4076]
webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 5
webvpn_portal.c:webvpn_login_aaa_resuming[4097]
webvpn_auth.c:http_webvpn_post_authorize[2367]
http_webvpn_post_authorize: AUTH_ACCEPT, WEBVPN_AUTH_USERNAME = username@mydomain.com
webvpn_auth.c:http_webvpn_auth_accept[2748]
Start timer for verifying token 1A77D50987EE33BE4E5EE7C
Username "username@mydomain.com" added to list with token 1A77D50987EE33BE4E5EE7C
webvpn_remove_auth_handle: auth_handle = 0
http_remove_auth_handle(): handle 0 not found!
webvpn_portal.c:webvpn_login_aaa_resuming[4117]
ewaFormSubmit_webvpn_login() -> redirect status=1 ret='NULL'
webvpn_free_auth_struct: net_handle = 0x00007f00401da050
webvpn_allocate_auth_struct: net_handle = 0x00007f00401da050
webvpn_free_auth_struct: net_handle = 0x00007f00401da050
#0x00007f0001b23d40 (GET). Request line:/+CSCOE+/logon.html
#0x00007f0001b23d40 File to execute: /+CSCOE+/logon.html
#0x00007f0001b23d40 (GET). Request line:/+CSCOE+/saml_ac_login.html
#0x00007f0001b23d40 File to execute: /+CSCOE+/saml_ac_login.html
saml_auth_is_valid_token: SAML ac token being looked 1A77D50987EE33BE4E5EE7C
#0x00007f0001b23d40 (GET). Request line:/+CSCOU+/saml_ac.css
#0x00007f0001b23d40 File to execute: /+CSCOU+/saml_ac.css
#0x00007f0001b23590 (POST). Request line:/
#0x00007f0001b23590 File to execute: /CSCOSSLC/config-auth
saml_ac_v2_process_auth_request: SAML ac token being looked 1A77D50987EE33BE4E5EE7C
SAML AUTH: authentication success
webvpn_session_add() -> key = 0x17F04D77000
webvpn_session_free: 0x04D77000 (19831)
webvpn_session_remove() -> key = 0x17F04D77000
webvpn_session_free: SESS_Mgmt_FreeSession(0x04D77000) (19831)
Public archive directives retrieved from cache for index 1.
#0x00007f0001b23d40 (GET). Request line:/admin/exec/show%20running-config
#0x00007f0001b23590 (GET). Request line:/+CSCOE+/saml/sp/logout
#0x00007f0001b23590 File to execute: /+CSCOE+/saml/sp/logout
Feb 08 20:16:09
[SAML] build_sp_init_logout_request:
https://login.microsoftonline.com/GUID/saml2?SAMLRequest=fZJfa9swFMXf9ymM32VLtvxHIjFLlwwCbRnLaGEvQbHkVmBJnq689uNPcdrSDrYnwdX9nXvu4a5AmHHi1%2B7BzeG7%2BjUrCMmzGS3w5Wedzt5yJ0ADt8Io4KHnh83NNS8yzCfvguvdmL5D%2Fk8IAOWDdjZN9tt1emT11ZemIW3R7MiO0C2pyYZghourXU2rTZMmd8pD7F%2BnEY8QwKz2FoKwIZZwUSJcIMx%2BYMJJzXH7M022cQdtRVioxxAm4Hk%2BugdtM6N778ANwdlRW5X1zuR9XZVRSKC6JARRNjB0Kk8nJAgr2VA1TOI6P29WpN3q%2FPLFhO9epX9PNoN5Ul47%2FyTgUfmzLqeULlgOU25UEFIEkR%2Fuj3ffblf5e52L6G3Mar9NvjpvRPh3iCQjS0VLNCytXBmhx42UXgGknQ4gpNH28%2BHF0f2bo5epl0GXqRM%2FRCoGtbdSPXfHU1G0iikas2AtopIOSJSCoUoOkjRVWzWYXGT%2BIj%2B9Vj9cUvcH&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=SR%2BgDY5QZZNooBKFYBogft%2BIwuW0GLalWr%2FNtRZziOOIyUsNx0pzEUDFajgBBAUe5vUTC5u5WWOEPTFKLgdsv17Pa8aeHLBFzuDlLaFlM1OnNve17yx%2BS8DorX1PC5SQrJhsJsJeIEUryzCxU6cezuQmMktc5q2xyvB5AfJMZD8hnDRrFVFc%2Bh0dP8QGN5gYs7eSDFyhh%2FdQi2%2F0hsHwRJ591k%2BYGEx%2F9sR9jgflTQu331gMGh72gqo%2FYIT11lSpx6BiJcnHw6A9fvx3ma%2FQpnPtzJv3X2sSzsqVAdkKNFB%2Fl1vh6MPGS2eX%2BMApcLQmAaErcmzVmbajU3pqZsLIPA%3D%3D
saml_ac_token_remove: SAML ac token being looked 1A77D50987EE33BE4E5EE7C
saml token ID 1A77D50987EE33BE4E5EE7C removed from table
[SAML] saml_is_idp_internal: getting SAML config for tg SW_VPN
#0x00007f0001b23590 (POST). Request line:/+webvpn+/webvpn_logout.html
#0x00007f0001b23590 Hand-off to emWeb.
webvpn_allocate_auth_struct: net_handle = 0x00007f003c34d9a0
len1/36 < len2/542
length of new buffer 0x00007f00023d6a40 is 578/994 prefix left=294

 The ASA is running 9.16(1)28.

Labels:
0 Helpful
4 Replies 4

mumbles202
Level 5
Level 5

‎02-09-2023 09:27 PM

When I look in the debug I'm seeing the followng:

 

consume_assertion: authorization attribtues found in SAML response. Processing of SAML response attributes is not supported on this platform

I downloaded the Base64 certificate from Azure and copied the text over to the ASA as part of the setup.  And for the SP cert I used the publically signed cert on the external facing interface of the ASA.  

0 Helpful

Milos_Jovanovic
VIP Alumni
VIP Alumni

‎02-13-2023 02:17 AM

Hi @mumbles202,

What is the entity ID and ACS configured on Azure side?

Given that you are unsing non-standard port TCP/444, this needs to be reflected in those URLs too I belive.

Kind regards,

Milos

0 Helpful

mumbles202
Level 5
Level 5
In response to Milos_Jovanovic

‎02-13-2023 07:33 AM

Thanks for the response.  Ended up being a DAP profile issue that I was able to fix and confirm working.  

0 Helpful

nwarner
Level 1
Level 1

‎09-20-2024 02:04 PM

I am having the same issue. How did you resolve this in the DAP profile?

0 Helpful
Customers Also Viewed These Support Documents