Authentication failed due to problem retrieving the SSO cookie

masees85 · ‎01-31-2022

Hello,

We have bunch of ASA devices in different branches, we trying to upgrade, but after upgrade the SSO (saml)stops working(different IOSs and versions), after roll back everything is working normally, I almost tried everything to solve it, nothing help

Please advise

Thank you

Marvin Rhoads · ‎01-31-2022

I've not seen an ASA version upgrade cause SAML authentication to fail.

All of your branch ASAs use remote access VPN with SAML?

We can usually troubleshoot this with a debug from the cli: "debug webvpn saml 255". If you can compare that output for a working vs. non-working setup if should highlight the problem more clearly.

masees85 · ‎02-01-2022

Thank you Marvin for your reply, I can't post the entire debug here because of security but I did what you told me to do, the different is not working one is stop at " [SAML] saml_is_idp_internal: getting SAML config for tg TUNNEL-GROUP-NAME" (the third line) and the working just continue without issues.

Again the none working one is asa992-85-lfbff-k8.SPA originally it is asa992-74-lfbff-k8.SPA, incase if i rollback to 9.9(2)-74 it will work, all other sites are the same.

I did almost every thing re-install the Cert the webvp, the tunnel group(CAPS and without) , remove the Azure side and create again didn't help

Never see something like that before

Thank you