04-22-2024 01:41 AM
Hi,
We are trying to implement Azure SAML SSO on our Firepower 1010.
We are using ASA 9.19.1 and Secure client 5.0.02075.
When we try the login via Azure by clicking the "Test this applicaton" the login works and there are no errors in the logs. The connection is visible in ASDM > Monitoring > VPN > VPN Statistics > Sessions.
When we try to login using the Secure client or weblogin, we are greeted with a blank page. The logs have these messages:
3 | Apr 22 2024 | 11:07:03 | 717027 | Certificate chain failed validation. No suitable trustpoint was found to validate chain. |
3 | Apr 22 2024 | 11:07:03 | 717009 |
Certificate validation failed. No suitable trustpoints found to validate certificate serial number: S/N REMOVED, subject name: CN=stamp2.login.microsoftonline.com,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US, issuer name: CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US. |
6 | Apr 22 2024 | 11:07:00 | 717022 | Certificate was successfully validated. serial number: S/N REMOVED, subject name: CN=stamp2.login.microsoftonline.com,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US. |
6 | Apr 22 2024 | 11:07:00 | 717028 | Certificate chain was successfully validated with warning, revocation status was not checked. |
3 | Apr 22 2024 | 11:07:00 | 717027 | Certificate chain failed validation. No suitable trustpoint was found to validate chain. |
3 | Apr 22 2024 | 11:07:00 | 717009 | Certificate validation failed. No suitable trustpoints found to validate certificate serial number: S/N REMOVED, subject name: CN=stamp2.login.microsoftonline.com,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US, issuer name: CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US. |
When we test the login via Azure, there are no logs about the certificate.
CLI command debug webvpn saml 255 gives message:
[SAML] build_authnrequest:https://login.microsoftonline.com/URL REMOVED.
SAML AUTH: SAML hash table cleanup periodic task
Any help is much appreciated!
Solved! Go to Solution.
04-25-2024 05:34 AM
We figured it out, there were misconfigured DNS settings in the VPN profile.
Now SAML works as intended
04-23-2024 03:13 AM
I found your post and while we use an ASA5516-x and an older software version we seem to have a similar issue. We have tracked it to the latest MS Edge or Google Chrome browsers. For most of our engineers the Anyconnect client keeps working (we use Duo SAML) but the webportal to download the client only works in Firefox. As soon as we downgrade to the previous Edge or Chrome those browsers also work. We have had 2 - 3 users complain that their client won't work anymore either, but so far that is it.
Could you check if your webportal works in Firefox or the older Edge/Chrome to confirm we might hit the same issue?
Gr
Roy
04-23-2024 04:10 AM
Hello Roy,
We tried using Firefox and the same blank page haunts us. Also downgrading Edge had no effect.
The weird thing is that the login works via Azure on every platform.
04-23-2024 04:52 AM
Hmm, looks to be a different issue then.
We have a case open with Cisco, if anything interesting pops up I'll let you know.
04-25-2024 05:34 AM
We figured it out, there were misconfigured DNS settings in the VPN profile.
Now SAML works as intended
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide