Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2378
Views
0
Helpful
4
Replies

Clientless VPN and SAML authentication with Azure

Antonio Macia
Level 3
Level 3

‎07-25-2018 07:24 AM - edited ‎07-25-2018 07:27 AM

Hello,

 

I'm testing SAML authentication using Azure AD as IdP and the ASA as the SP. Login works fine but the logout  fails because the ASA is sending the wrong URL.

Although I've configured the valid URL:

url sign-out https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0

Looking at the requests performed by the browser during the logout, the URL requested is:

https://login.microsoftonline.com/common/wsfederationwa=wsignout1.0 without the '?' so the browsers receives a not found error from the server.

 

Anyone has this working with Azure?

 

Regards.

1 person had this problem
Labels:
0 Helpful
4 Replies 4

OTooled47
Level 1
Level 1

‎09-04-2018 02:21 AM

Good Morning Antonio, I'm looking at this configuration for a client who's looking to add Azure as a IdP against their ASA's currently deployed, could you forward any reference documentation you found for this design ? Everything I've discovered so far references either using on-prem MFA server or the NPS extension 

 

Any pointers would be greatly appreciated. 

0 Helpful

Antonio Macia
Level 3
Level 3
In response to OTooled47

‎09-05-2018 06:50 AM

Hello,

 

I followed these two references below from MS and Cisco. Anyway, I hopefully plan to blog the whole process shortly. I'll update the post upon I post it.

 

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-custom-apps

https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/configuration/vpn/asa-97-vpn-config/webvpn-configure-users.html

 

Good luck!

0 Helpful

Florian Chr.
Level 1
Level 1

‎08-26-2020 08:24 AM

Hello Antiono,

your question has been a long time ago.
But I figured out the same error. Did you find within the last two years a solution for this error?

Thanks and Regards
Florian
0 Helpful

Jitse Hijlkema
Level 1
Level 1

‎09-23-2020 02:50 AM

Hi all,

 

When you check the URL in the ASA, you will see the question mark in URL is missing.

This is because when entering / pasting commands into CLI the help function is being activated when '?' is signaled. 

 

Just before manually entering the '?' in the string you have to press CTRL+V. Now the question mark is being added.

After re-applying the 'saml identity-provider' command in your tunnel-group the SSO sign-out also works

0 Helpful
Customers Also Viewed These Support Documents