02-11-2022 09:57 AM
I upgraded an ASAv from 9.8.4 to 9.17.1 and now I cannot login with SAML. The tunnelgroup name does not contain spaces (https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq82519?rfs=iqvred) and I even created a tunnelgroup just called SAML to make it short and simple as possible. Nothing shows up in the debug log on the firewall during the failure, and the message appears instantly, before the user is sent to the IDP.
The SAML configuration all worked in 9.8.4 and nothing changed on the IDP side. Any suggestions?
02-14-2022 04:20 AM
It could be a bug as several things changed with respect to SAML in version 9.17(1).
Are you using the "debug webvpn saml 255" debugging setting?
04-21-2023 07:36 PM
hello, I have the same problem in FTD version 7.2.2
Any suggestion?
04-24-2023 02:56 AM
Hi @Okta-tech-partners Agree that Tunnel-group name space can lead to following error " Failed to generate SAML AuthnRequest " but it can't be just due to that .
Did you get a chance to run " debug webvpn saml 255 " on ASA/FTD and reproduce the issue ? Were you able to see any outputs printing .
Would you be able to share " Tunnel-group '' and " Webvpn " config . You can mask the sensitive outputs
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide