07-10-2023 06:38 AM
Hi All,
I'm trying to configure AnyConnect VPN using Azure AD, MFA and SAML.
FMC and FTD are running 7.2.4.
I've followed this YouTube channel, first thing on the FMC is to enrol CA only certificate using the BASE64 cert downloaded from Azure AD, ID certificate is not available at this stage, and this is used as the IDP on SSO server settings. In here, I've used 3rd party signed certificate for the vpn fqdn (q.g. anyconnect.corpname.com) in pkcs12 format as the Service Provider Certificate, then went on to configure a new tunnel group, but upon finishing the wizard I receive "CA Only cert Azure-AD-IDP not allowed for SSL Global Identity Certificate".
https://www.youtube.com/watch?v=G-e0drDu7fU
I'm lost as to how to complete this and enable SAML SSO with MFA.
Any suggestions is very much appreciated.
Thanks,
07-10-2023 07:39 AM
Turns out, I just needed to change the Authentication Method from "SAML" to Client Certificate & SAML", which then allowed me to select the Identity cert that's signed by 3rd party and able to finish saving the config.
However, I'm now getting the certificate validation error from AnyConnect client.
Access from browser sends me to AD auth, but to the onprem ADFS server rather than Azure AD.
Not sure if this is us being the Hybrid environment or something else.
I'll have a chat with MS guys and report back.
Thanks,
07-12-2023 01:30 AM
In the end, I've given up on Azure AD SAML and used the onprem NPS server with Azure connecter. I used this method while we were on ASA and the same method still works.
I'll revisit the Azure AD SAML auth at later date when our MS guy comes back from holiday.
07-12-2023 05:46 AM
The SP cert would be the SSL cert of the device (can be different as well, but in most deployments we keep it same as the SSL certificate of the device), and the Azure IDP cert will be the CA-Only trustpoint you created.
From the log you shared "CA Only cert Azure-AD-IDP not allowed for SSL Global Identity Certificate". It makes sense since you are trying to bind a trustpoint which doesn't have a ID cert, you would need to bind the trustpoint which has the ID cert for SSL and SP trustpoint in SAML SSO config
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide