Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
113675
Views
48
Helpful
19
Replies

Cisco AnyConnect with Azure Single Sign-On failing with problem retrieving SSO cookie

Go to solution
Michael Fox
Level 1
Level 1

‎05-09-2018 07:48 AM - edited ‎03-12-2019 05:16 AM

I am having a problem with my configuration of AnyConnect authentication using Azure Single Sign-On. This configuration was done following the "Configure a SAML 2.0 Identity Provider (IdP)" & "Example SAML 2.0 and Onelogin" sections of the following Cisco CLI Book 3 document:

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/vpn/asa-96-vpn-config/webvpn-configure-users.html

 

 When connecting I am getting the message "Authentication failed due to problem retrieving the single sign-on cookie." and within the ASDM logs I am getting "Failed to consume SAML assertion. reason: The profile cannot verify a signature on the message."

 

So far I have double checked my certificates, URL's and edited the request signature with no change.

 

Any suggestions would be greatly appreciated.

27 people had this problem
Labels:
Preview file
29 KB
Preview file
2 KB
0 Helpful
19 Replies 19

Go to solution
J. H.
Level 1
Level 1

‎01-25-2024 03:56 AM

Got the same problem here but XML seems to be created fine.
We're running Remote Access using Firepower FTD 7.0.6 though and configuration is done via FMC.

Can't seem to find any logs in FMC from the attempts on that vpn-group.
The IdP works and users get MFA, but AnyConnect client reports "Authentication failed due to problem retrieving the single sign-on cookie."

0 Helpful

Go to solution
DannyDulin
Level 1
Level 1
In response to J. H.

‎04-17-2024 06:37 AM

Good morning @J. H. 

We have the same setup and the same issue, although ours is intermittent.

Did you get any resulution?

0 Helpful

Go to solution
dbooth
Level 1
Level 1

‎04-26-2024 07:44 AM

I recently performed an upgrade of an ASA from v9.8. SAML authentication with multiple tunnel groups worked fine before but after upgrading we started seeing the dreaded single sign-on cookie message after users attempted to authenticate. I've done some testing using later versions and I am finding that any tunnel group with a . (dot/full stop) in the name cause this error, while other tunnel groups on the same ASA work fine.

0 Helpful

Go to solution
Giorgos_Mama
Level 1
Level 1

‎05-02-2024 06:09 AM

Hi there. I had the same issue.

Check once again the certificate downloaded from Azure. That was my fault and resolved after I added the correct cert.

By running the command debug webvpn saml 255

I was getting the error

“[SAML] consume_assertion: Failed to verify signature.

[saml] webvpn_login_primary_username: SAML assertion validation failed”

0 Helpful

Go to solution
patoberli
VIP Alumni
VIP Alumni
In response to Giorgos_Mama

‎05-02-2024 11:12 AM

I also had this issue. In my case it happened after a failover while running 9.16.x.something. We had different connection profiles with different Azure applications and thus different IdP certificates. It did still work for one group, but not anymore for the others.

We then directly upgraded to 9.18.4.22 and used the new feature to pin the IdP certificate in the connection profile corresponding to its Azure application. After that the authentication immediately started to work again.

0 Helpful
Customers Also Viewed These Support Documents