cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
117171
Views
52
Helpful
20
Replies

Cisco AnyConnect with Azure Single Sign-On failing with problem retrieving SSO cookie

Michael Fox
Level 1
Level 1

I am having a problem with my configuration of AnyConnect authentication using Azure Single Sign-On. This configuration was done following the "Configure a SAML 2.0 Identity Provider (IdP)" & "Example SAML 2.0 and Onelogin" sections of the following Cisco CLI Book 3 document:

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/vpn/asa-96-vpn-config/webvpn-configure-users.html

 

 When connecting I am getting the message "Authentication failed due to problem retrieving the single sign-on cookie." and within the ASDM logs I am getting "Failed to consume SAML assertion. reason: The profile cannot verify a signature on the message."

 

So far I have double checked my certificates, URL's and edited the request signature with no change.

 

Any suggestions would be greatly appreciated.

20 Replies 20

J. H.
Level 1
Level 1

Got the same problem here but XML seems to be created fine.
We're running Remote Access using Firepower FTD 7.0.6 though and configuration is done via FMC.

Can't seem to find any logs in FMC from the attempts on that vpn-group.
The IdP works and users get MFA, but AnyConnect client reports "Authentication failed due to problem retrieving the single sign-on cookie."

Good morning @J. H. 

We have the same setup and the same issue, although ours is intermittent.

Did you get any resulution?

dbooth
Level 1
Level 1

I recently performed an upgrade of an ASA from v9.8. SAML authentication with multiple tunnel groups worked fine before but after upgrading we started seeing the dreaded single sign-on cookie message after users attempted to authenticate. I've done some testing using later versions and I am finding that any tunnel group with a . (dot/full stop) in the name cause this error, while other tunnel groups on the same ASA work fine.

Giorgos_Mama
Level 1
Level 1

Hi there. I had the same issue.

Check once again the certificate downloaded from Azure. That was my fault and resolved after I added the correct cert.

By running the command debug webvpn saml 255

I was getting the error

“[SAML] consume_assertion: Failed to verify signature.

[saml] webvpn_login_primary_username: SAML assertion validation failed”

I also had this issue. In my case it happened after a failover while running 9.16.x.something. We had different connection profiles with different Azure applications and thus different IdP certificates. It did still work for one group, but not anymore for the others.

We then directly upgraded to 9.18.4.22 and used the new feature to pin the IdP certificate in the connection profile corresponding to its Azure application. After that the authentication immediately started to work again.

JJR-BR
Level 1
Level 1

For someone using FTD managed by FMC, to fix this, you would set this configuration on the Authentication tab, check the option to override the IDP Certificate and choose the one for another Application Anyconnect you created in Azure. Then, it should work fine.

JJRBR_1-1732647010294.png

JJRBR_2-1732647104666.png