05-09-2018 07:48 AM - edited 03-12-2019 05:16 AM
I am having a problem with my configuration of AnyConnect authentication using Azure Single Sign-On. This configuration was done following the "Configure a SAML 2.0 Identity Provider (IdP)" & "Example SAML 2.0 and Onelogin" sections of the following Cisco CLI Book 3 document:
When connecting I am getting the message "Authentication failed due to problem retrieving the single sign-on cookie." and within the ASDM logs I am getting "Failed to consume SAML assertion. reason: The profile cannot verify a signature on the message."
So far I have double checked my certificates, URL's and edited the request signature with no change.
Any suggestions would be greatly appreciated.
Solved! Go to Solution.
01-25-2024 03:56 AM
Got the same problem here but XML seems to be created fine.
We're running Remote Access using Firepower FTD 7.0.6 though and configuration is done via FMC.
Can't seem to find any logs in FMC from the attempts on that vpn-group.
The IdP works and users get MFA, but AnyConnect client reports "Authentication failed due to problem retrieving the single sign-on cookie."
04-17-2024 06:37 AM
Good morning @J. H.
We have the same setup and the same issue, although ours is intermittent.
Did you get any resulution?
04-26-2024 07:44 AM
I recently performed an upgrade of an ASA from v9.8. SAML authentication with multiple tunnel groups worked fine before but after upgrading we started seeing the dreaded single sign-on cookie message after users attempted to authenticate. I've done some testing using later versions and I am finding that any tunnel group with a . (dot/full stop) in the name cause this error, while other tunnel groups on the same ASA work fine.
05-02-2024 06:09 AM
Hi there. I had the same issue.
Check once again the certificate downloaded from Azure. That was my fault and resolved after I added the correct cert.
By running the command debug webvpn saml 255
I was getting the error
“[SAML] consume_assertion: Failed to verify signature.
[saml] webvpn_login_primary_username: SAML assertion validation failed”
05-02-2024 11:12 AM
I also had this issue. In my case it happened after a failover while running 9.16.x.something. We had different connection profiles with different Azure applications and thus different IdP certificates. It did still work for one group, but not anymore for the others.
We then directly upgraded to 9.18.4.22 and used the new feature to pin the IdP certificate in the connection profile corresponding to its Azure application. After that the authentication immediately started to work again.
11-26-2024 10:53 AM
For someone using FTD managed by FMC, to fix this, you would set this configuration on the Authentication tab, check the option to override the IDP Certificate and choose the one for another Application Anyconnect you created in Azure. Then, it should work fine.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide