Re: Authentication multiple tunnel groups via SAML

richard.priest · ‎06-29-2020

Is this possible?

I'm authenticating AnyConnect via SAML /AzureAD, but wish to have multiple tunnel groups. I'm aware I'm presently unable to have multiple IPD trustpoints so all users are lumped into the same authentication group, however each tunnel group represents different networks you're able to access, and I need/ want to need to be able to authenticate to both via the same SSO setup.

However when I add the same SAML URL into a 2nd tunnel group, I am able to authenticate fine, but this then breaks access to the original tunnel group that was configured, I get an "Authentication failed due to problem retrieving the single sign-on cookie"

I end up having to tear down the entire config on both the ASA and on Azure and re-issue a new IDP cert to get it all working again.

Any ideas?

Cheers

Rich

Marvin Rhoads · ‎06-29-2020

I suspect this is due to the issue with how th ASA caches the SAML iDP information. That's the same thing that makes us remove and re-add the SAML on a webvpn config whenever we change the iDP parameters.

I'd recommend opening a TAC case to verify.

You may have to consider other access restriction methods like per user or per group ACLs (vpn filter or ISE DACLs).

jeckert · ‎05-06-2021

Did you get this working?