Solved: Firepower VPN with MFA Can't create multiple profiles

0rsnaric · ‎01-18-2024

We have a Cisco Firewpower 4115 and currently have VPN configured with MFA. Our SSO provider is Azure.

I am trying to add a second profile that has a few differences from our main profile. It also needs to be MFA. But when I add a SSO provider and assign it to the profile it will not allow me to push the configuration to the firewall. I get this error:

Policy Name: *****
Summary: Duplicate Identity Provider Entity ID.
Description: Selected Single Sign-on Server objects ( AzureSAMLSSO-VPN2,AzureSAMLSSO2-NOSPLIT ) are having duplicate Identity Provider Entity ID ( https://sts.windows.net/*************/ ).
Cause: Duplicate Identity Provider Entity ID used in Single Sign-on Server objects.
Action: Please use different Single Sign-on Server objects or configure different Identity Provider Entity ID

How can i have two profiles sharing my SSO server? On the 0365 side, they are two different applications, ProfileU and ProfileZ. If I just try to share ProfileU's SSO server with ProfileZ it fails.

Any ideas?

BlakeBratu · ‎01-18-2024

You will need to use the same SSO object in both of your connection profiles. If they are two different Azure applications, what you can do is enable 'override identity provider certificate' (I believe the option is available in FMC 7.1.0 and above.)

You'd use the IDP certificate given to you in Azure for your ProfileZ application, upload it to the FTD, use the same SAML object, and override the certificate utilizing ProfileZ's certificate. The serial number held within the IDP certificate will be used to differentiate the application created for your tunnel-group in Azure (in a non-technical nutshell.) Make sure the duplicate SSO object is removed.

If this option is not available to you, I recommend the suggested workarounds per: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvi29084

View solution in original post

BlakeBratu · ‎01-18-2024

You will need to use the same SSO object in both of your connection profiles. If they are two different Azure applications, what you can do is enable 'override identity provider certificate' (I believe the option is available in FMC 7.1.0 and above.)

You'd use the IDP certificate given to you in Azure for your ProfileZ application, upload it to the FTD, use the same SAML object, and override the certificate utilizing ProfileZ's certificate. The serial number held within the IDP certificate will be used to differentiate the application created for your tunnel-group in Azure (in a non-technical nutshell.) Make sure the duplicate SSO object is removed.

If this option is not available to you, I recommend the suggested workarounds per: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvi29084

0rsnaric · ‎01-18-2024

Worked like a charm. Thank you!

gcook0001 · ‎03-07-2025

Can you provide more instructions on how to do this. I have been struggling to this working now forever. I have read at least five different documents on it provided by cisco and none of them work. We are using FMC to manage our FTD firewalls. When I click help it gives me instructions on how to use the cli to implement this on ASA. I am running 7.4.2

Spuh · ‎04-24-2025

I have done what the solution are but i get "single signon cookie fail" what to do with that? i have check where i find to check but do not find anythink to work