Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
723
Views
2
Helpful
2
Replies

Firepower VPN with MFA Can't create multiple profiles

Go to solution
0rsnaric
Level 1
Level 1

‎01-18-2024 10:36 AM

We have a Cisco Firewpower 4115 and currently have VPN configured with MFA. Our SSO provider is Azure.

I am trying to add a second profile that has a few differences from our main profile. It also needs to be MFA. But when I add a SSO provider and assign it to the profile it will not allow me to push the configuration to the firewall. I get this error:

 

Policy Name: *****
Summary: Duplicate Identity Provider Entity ID.
Description: Selected Single Sign-on Server objects ( AzureSAMLSSO-VPN2,AzureSAMLSSO2-NOSPLIT ) are having duplicate Identity Provider Entity ID ( https://sts.windows.net/*************/ ). 
Cause: Duplicate Identity Provider Entity ID used in Single Sign-on Server objects.
Action: Please use different Single Sign-on Server objects or configure different Identity Provider Entity ID

 

How can i have two profiles sharing my SSO server? On the 0365 side, they are two different applications, ProfileU and ProfileZ. If I just try to share ProfileU's SSO server with ProfileZ it fails.

Any ideas?

 

 

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
BlakeBratu
Cisco Employee
Cisco Employee

‎01-18-2024 12:23 PM - edited ‎02-04-2024 06:27 AM

You will need to use the same SSO object in both of your connection profiles. If they are two different Azure applications, what you can do is enable 'override identity provider certificate' (I believe the option is available in FMC 7.1.0 and above.)

 

BlakeBratu_0-1705609319572.png

 

You'd use the IDP certificate given to you in Azure for your ProfileZ application, upload it to the FTD, use the same SAML object, and override the certificate utilizing ProfileZ's certificate. The serial number held within the IDP certificate will be used to differentiate the application created for your tunnel-group in Azure (in a non-technical nutshell.) Make sure the duplicate SSO object is removed.

 

If this option is not available to you, I recommend the suggested workarounds per: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvi29084

 

 

 

 

 

 

 

View solution in original post

2 Replies 2

Go to solution
BlakeBratu
Cisco Employee
Cisco Employee

‎01-18-2024 12:23 PM - edited ‎02-04-2024 06:27 AM

You will need to use the same SSO object in both of your connection profiles. If they are two different Azure applications, what you can do is enable 'override identity provider certificate' (I believe the option is available in FMC 7.1.0 and above.)

 

BlakeBratu_0-1705609319572.png

 

You'd use the IDP certificate given to you in Azure for your ProfileZ application, upload it to the FTD, use the same SAML object, and override the certificate utilizing ProfileZ's certificate. The serial number held within the IDP certificate will be used to differentiate the application created for your tunnel-group in Azure (in a non-technical nutshell.) Make sure the duplicate SSO object is removed.

 

If this option is not available to you, I recommend the suggested workarounds per: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvi29084

 

 

 

 

 

 

 

Go to solution
0rsnaric
Level 1
Level 1
In response to BlakeBratu

‎01-18-2024 10:17 PM

Worked like a charm. Thank you!

0 Helpful
Customers Also Viewed These Support Documents