Hello Lina,

can you post a screen regarding the azure side?
i would like to use only one saml idp an more than one connection profile on the firepower

Hi Lina,

What certificate should the second enterprise application will use? Is it possible to use the same SAML certificate from the first enterprise application? If yes, can you share me how? I downloaded the .cer file from the first application but when I try to upload it on the second application, it is asking for .pfx file and a password.

Please share to me your workaround with regards to SAML certificate on both applications. Thanks!

Regarding this, I just downloaded the certificate for the new application and uploaded it in the ASA and used it under saml idp configuration for my backup VPN.

I implemented this solution and it worked! Thanks @lina.cao !

@lina.cao @aumali We are facing the same scenario in our product where we have multiple Tunnel Groups in ASA for Cisco Anyconnect and we have a Single Azure tenant where multiple Enterprise Application is set up for each tunnel group. When I configured the SAML IDP using the "saml idp https://sts.windows.net/{{ idp }}/{{ Application ID }}" method on ASA it took that config however when I tried accessing the Anyconenct for that Tunnel group I got the error "Authentication failed due to problem retrieving the single sign-on cookie" after entering my Azure credentials on the Client machine.

Not sure how it's working for you guys.

Hi @aaggarwal23 , Can you provide below information ? 

1.ASA version 
2.Are you using same certificate ( used for signing assertion ) on Azure for those multiple Enterprise Application or you are leaving it default ? 
3.Would you be able to enable below debug ,replicate the issue and provide the outputs 

debug webpvn saml 255

Hi @aaggarwal23 

You need to enable "Append application ID to issuer" on Attributes & Claims > Advanced SAML claims options on both Azure Enterprise application where the VPN is enabled (see screenshot from @lina.cao on 02-20-2023 07:56 AM)

Also make sure both certificates are uploaded in ASA. Configure two tunnel groups, two saml IDPs, and two VPN URLs

@aumali Thanks for your prompt reply.

I am able to get it through after enabling the above option in Azure also there was an issue with the SAML idp configuration I have done where in the URL after putting Application ID I mistakenly added / in the end. I removed it and it started working fine as expected.

Thanks for your help.

lina.cao is right.

After a lot of debugging I could implement this solution, even with the DefaultWEBVPNGroup and a 2nd group which only uses a different group-url (no tunnel-group alias is used, and no 'tunnel-group-list enable' under the webvpn config is used).

Be careful, there are a few things you should take a closer look:

- The option 'Append application ID to issuer' must be enabled only in the 2nd,3rd ... group. Not in the first one which uses the normal identity string
- In the webvpn config. the saml idp line hast to end with a '/' in the normal/first group like 'saml idp https://sts.windows.net/{{ idp }}/'
- The other groups which use the format saml idp https://sts.windows.net/{{ idp }}/{{ Application ID }} are NOT allowed to use a '/' at the end

- The Reply URL in Azure has to use the tunnel-group name also (the Pattern hint in the webinterface is confusing) like:
https://my-asa-domain/+CSCOE+/saml/sp/acs?tgname=my-tunnel-group

- Do not use the group-url path (for example /my-tunnel-group) in the base-url config. under webvpn, only the FQDN (https://my-asa-domain)

- Do not use the group-url in the Identifier (Entity ID) or Reply URL in Azure

I also implemented a solution with a 3rd party SSL cert. importet into every AnyConnect Enterprise App - and into the (single) ASA webvpn idp config.
I had some issues with specifi self singed ssl cert. (some key lengths are not allowed - error when trying to import the .pkcs12).
But in general this solution works too to use several VPN / Tunnel-Groups with Azure SAML MFA.