03-13-2022 03:33 AM
I have a customer who have deployed their own Single Sign On server. The server is not using an SSL certificate for the SSO server Identity Provider Certificate. The SSO sign certificate is a self generated certificate which is not using a fully qualified domain name. The CN name that is configured on the SSO certificate is "Internal" but the SSO URL is configured with a FQDN. When trying to add this SSO server to the FTD appliance I get the following error:
ERROR: SAML IDP certificate failed Config
Error --saml identity - provider https://host.domain/auth/realms/Internal
Is it possible to add an SSO server which is not using an SSL certificate as the SSO signing certificate to the FTD appliance?
Solved! Go to Solution.
03-14-2022 01:19 PM
ASA supports the following signatures for SAML authentication:
SHA1 with RSA and HMAC
SHA2 with RSA and HMAC
ASA supports SAML 2.0 Redirect-POST binding , which is supported by all SAML IdPs.
The ASA functions as a SAML SP only. It cannot act as an Identity Provider in gateway mode or peer mode.
SAML 2.0 SSO does not support internal SAML IdP and SPs, only external ones outside of the private network.
This SAML SSO SP feature is a mutual exclusion authentication method. It cannot be used with AAA and certificate together.
03-13-2022 08:50 PM
FTD currently support only DUO as a SAML server - https://www.cisco.com/c/en/us/td/docs/security/firepower/670/fdm/fptd-fdm-config-guide-670/fptd-fdm-identity-sources.html#Cisco_Concept.dita_ce6e942e-4c14-4765-b9f9-5dee000e1c7d
Enhancement bug - CSCvq05412
03-14-2022 12:25 AM
I have setup the ASA appliance with Azure SAML SSO services and it works great. In this article I do not see where it is saying it is only supported by DUO. Could you please tell me where to find that information?
03-14-2022 12:58 AM
Section: SAML Server, refer to the "note" field. Attached a screenshot
03-14-2022 03:31 AM
Correct, it is supported by Duo but it is also supported by other vendors.
03-14-2022 01:19 PM
ASA supports the following signatures for SAML authentication:
SHA1 with RSA and HMAC
SHA2 with RSA and HMAC
ASA supports SAML 2.0 Redirect-POST binding , which is supported by all SAML IdPs.
The ASA functions as a SAML SP only. It cannot act as an Identity Provider in gateway mode or peer mode.
SAML 2.0 SSO does not support internal SAML IdP and SPs, only external ones outside of the private network.
This SAML SSO SP feature is a mutual exclusion authentication method. It cannot be used with AAA and certificate together.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: