Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3911
Views
0
Helpful
3
Replies

Failed to generate SAML AuthnRequest from Cisco ASA on 9.17.1

Okta-tech-partners
Level 1
Level 1

‎02-11-2022 09:57 AM

I upgraded an ASAv from 9.8.4 to 9.17.1 and now I cannot login with SAML. The tunnelgroup name does not contain spaces (https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq82519?rfs=iqvred) and I even created a tunnelgroup just called SAML to make it short and simple as possible. Nothing shows up in the debug log on the firewall during the failure, and the message appears instantly, before the user is sent to the IDP. 

The SAML configuration all worked in 9.8.4 and nothing changed on the IDP side. Any suggestions?

2 people had this problem
Labels:
Preview file
10 KB
0 Helpful
3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

‎02-14-2022 04:20 AM

It could be a bug as several things changed with respect to SAML in version 9.17(1).

Are you using the "debug webvpn saml 255" debugging setting?

0 Helpful

fabiohuber
Level 1
Level 1

‎04-21-2023 07:36 PM

hello, I have the same problem in FTD version 7.2.2

Any suggestion?

0 Helpful

Salman Mahajan
Cisco Employee
Cisco Employee

‎04-24-2023 02:56 AM

Hi @Okta-tech-partners Agree that Tunnel-group name space can lead to following error " Failed to generate SAML AuthnRequest " but it can't be just due to that . 

Did you get a chance to run " debug webvpn saml 255 " on ASA/FTD and reproduce the issue ? Were you able to see any outputs printing . 

Would you be able to share " Tunnel-group '' and " Webvpn " config .  You can mask the sensitive outputs  

 

0 Helpful
Customers Also Viewed These Support Documents