cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3659
Views
14
Helpful
14
Replies

Can two AnyConnect connection profiles use the same SAML IdP?

lina.cao
Beginner
Beginner

I would like have my two connection profiles "DefaultWEBVPNGroup" and "Azure_MFA" use SAML authentication. And I have already configured both certificates in the ASA. But I just realized in the SAML idp, I only can configure one "trustpoint idp" to  unique tunnel group profile...

 

My question is how to make both Anyconnect profiles use SAML authentication at the same time? Thanks!

 

Webvpn
Saml idp https://sts.windows.net/******/
 url sign-in https://login.microsoftonline.com/****/
 url sign-out https://login.microsoftonline.com/***/
 trustpoint idp <tunnel-group name>
 trustpoint sp ASDM_TrustPoint1
 no force re-authenticate
 no signature
 base-url https://.....

14 Replies 14

groupccologin
Beginner
Beginner

Hi did you ever get a resolution for this as we are hitting the same issue ?

Damian 

Milos_Jovanovic
VIP Alumni
VIP Alumni

Hi @groupccologin,

Yes, you can use same IdP within multiple tunnel groups.

What is wrong in the initial statement here is that for the "trustpoint idp" command, you are supposed to use trustpoint containing certificate used in Azure application, not the tunnel-group.

You can find great configuration guide here.

BR,

Milos

MaErre21325
Beginner
Beginner

Hello @Milos_Jovanovic ,

is there a guide to to the same on a firepower via GUI?
furthermore the "trustpoint sp ASDM_TrustPoint1" is mandatory or i just can use the "trustpoint idp" [IdP Trustpoint]?

 

lina.cao
Beginner
Beginner

Hi guys,

I have found the solution. It is not on the VPN side.

There is a function on Azure SAML, by enabling "Advanced SAML claims options" -  "Append application ID to issuer" under the VPN profile,

You can have "Application ID" under Properties. On ASA, you can use saml idp + Application ID looks like this,

webvpn

    saml idp https://sts.windows.net/{{ idp }}/{{ Application ID }}

So you can create multiple profiles for SAML auth by using different application IDs.

Hello Lina,

 

can you post a screen regarding the azure side?
i would like to use only one saml idp an more than one connection profile on the firepower

Hi Lina,

What certificate should the second enterprise application will use? Is it possible to use the same SAML certificate from the first enterprise application? If yes, can you share me how? I downloaded the .cer file from the first application but when I try to upload it on the second application, it is asking for .pfx file and a password.

aumali_0-1689295322959.png

Please share to me your workaround with regards to SAML certificate on both applications. Thanks!

Regarding this, I just downloaded the certificate for the new application and uploaded it in the ASA and used it under saml idp configuration for my backup VPN.

I implemented this solution and it worked! Thanks @lina.cao !

@lina.cao @aumali We are facing the same scenario in our product where we have multiple Tunnel Groups in ASA for Cisco Anyconnect and we have a Single Azure tenant where multiple Enterprise Application is set up for each tunnel group. When I configured the SAML IDP using the "saml idp https://sts.windows.net/{{ idp }}/{{ Application ID }}" method on ASA it took that config however when I tried accessing the Anyconenct for that Tunnel group I got the error "Authentication failed due to problem retrieving the single sign-on cookie" after entering my Azure credentials on the Client machine.

Not sure how it's working for you guys.

Hi @aaggarwal23 , Can you provide below information ? 

1.ASA version 
2.Are you using same certificate ( used for signing assertion ) on Azure for those multiple Enterprise Application or you are leaving it default ? 
3.Would you be able to enable below debug ,replicate the issue and provide the outputs 

debug webpvn saml 255

Hi @aaggarwal23 

You need to enable "Append application ID to issuer" on Attributes & Claims > Advanced SAML claims options on both Azure Enterprise application where the VPN is enabled (see screenshot from @lina.cao on 02-20-2023 07:56 AM)

Also make sure both certificates are uploaded in ASA. Configure two tunnel groups, two saml IDPs, and two VPN URLs

@aumali Thanks for your prompt reply.

I am able to get it through after enabling the above option in Azure also there was an issue with the SAML idp configuration I have done where in the URL after putting Application ID I mistakenly added / in the end. I removed it and it started working fine as expected.

Thanks for your help.

lina.cao
Beginner
Beginner

enable application ID under Attributes & Claims, see below,

linacao_1-1676908458731.png

then you can get application ID under "Overview"

linacao_0-1676908324009.png

 

Salman Mahajan
Cisco Employee
Cisco Employee

Yes you can use identical IDP on FTD however It is not possible to configure multiple Tunnel-groups with same instance of the Cisco AnyConnect application on Azure . As per the Microsoft , if you would like to on board multiple TG  of the server then you need to add multiple instances of the Cisco AnyConnect application . Please refer to the below link

https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/cisco-anyconnect 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: