Cisco Anyconnect integration with AZURE SAML

cammy.busto · ‎06-29-2021

Hi,

Is anyone can help me regarding the error encountered when connecting to Anyconnect? I have an integrated AZURE SAML w/ Cisco ASA for authentication.

Here's my configuration

webvpn
saml idp https://sts.windows.net/x/ - [Azure AD Identifier]
url sign-in https://login.microsoftonline.com/x - [Login URL]
url sign-out https://login.microsoftonline.com/x – Logout URL
trustpoint idp AzureAD-AC-SAML
trustpoint sp ASDM-Trustpoint0
no force re-authentication
no signature
base-url https://0.0.0.0

I just want to confirm if the trustpoint sp ASDM-Trustpoint0 must be a public signed certificate? I'm getting error when redirecting to microsoft via Anyconnect.

This site is not secure

This might mean that someone’s trying to fool you or steal any info you send to the server. You should close this site immediately.

The website’s security certificate is not secure.

Error Code: 0

Appreciate your help. Thank you.

RCGTesta · ‎10-10-2022

Same error here. It seems that need a public certificate. If you install selfsigned certificate the connection is successfully

Aref Alsouqi · ‎10-10-2022

The certificate you download from Azure and you import into FMC will be used to establish a trust relationship between the FTD and Azure (IdP). On that certificate enrolment you would need to select "skip check for CA flag".

Ivan Marinovic · ‎10-06-2023

How did you resolve it. we use no ca-check but still geting same error.

AhrarM · ‎12-21-2023

Did anyone find a fix for this issue? I am experiencing same behavior.

webvpn
saml idp https://sts.windows.net/x/ - [Azure AD Identifier]
url sign-in https://login.microsoftonline.com/x - [Login URL]
url sign-out https://login.microsoftonline.com/x – [Logout URL ]
trustpoint idp AzureAD-AC-SAML
trustpoint sp External-CA-VPN-CERT
no force re-authentication
no signature
base-url https://0.0.0.0

Ruben Cocheno · ‎12-22-2023

@AhrarM

Use your own cert as SP

Not sure if you came across this guide https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215935-configure-asa-anyconnect-vpn-with-micros.html

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/

AhrarM · ‎01-03-2024

Hi Ruben,

Thankyou for your response. We are using public signed CA cert for SP at the moment. This cert is generated for our VPN.

When you say "use your own cert as SP" which own cert are you referring to? Are you suggesting for self-signed?

Ivan Marinovic · ‎12-22-2023

yes as Ruben answered you we generated a free certificate on web and everything is working...

nasrul06 · ‎02-05-2024

Mine is same behavior.Can advise how to generate free certificate on web

Ivan Marinovic · ‎02-06-2024

https://getacert.com/selfsignedcert.html. try with this one.

Marvin Rhoads · ‎02-06-2024

The getacert.com certificates will still be self-signed. You need a certificate that is issued by a CA trusted by the iDP (Azure / Entra ID in this case). Otherwise, when the iDP (Azure) attempts to connect securely to the SP (firewall) the lack of trust will cause the connection to fail.