FTD -> Azure SSO with multiple aliases or profiles

Josh Morris · ‎07-26-2021

I am using Azure MFA as an SSO server from FTD. What I would like to do is have multiple SSO objects from FTD to Azure to differentiate between multiple URLS or connection profiles (think employees vs partners). but you cannot create multiple SSO objects that use the same entityId.

So alternatively, I have tried to use one connection profile with multiple URLs with different URIs. (Ex: vpn.company.com, vpn.company.com/vendor, vpn.company.com/fulltunnel) This method would mean I could use only one connection profile and only one URL in Azure. but this doesn't work either as I get the CSRF attack message, where Cisco basically says "fix your config".

So I'm a bit stuck on what to do now. I am running v6.7

pal.ronningen · ‎04-01-2022

Hi @Josh Morris. I'm facing the same issue at this point. Did you find a solution for this, so that you are able to run multiple profiles with the same SSO server?

Josh Morris · ‎04-07-2022

I don't think so. We were toying around with the idea of just creating multiple profiles...but that negates the desire to run all connections through a single profile for simplicity sake. I will update here if I end up finding a solution.

ciscokiddy · ‎07-17-2022

Hi @Josh Morris I am also facing this challlenge, did you make any progress with this?

Josh Morris · ‎07-18-2022

Kind of. I just had to create a new connection profile/Azure app combo for every set of requirements. I think I ended up with 4 total connection profiles:

Employee split tunnel
Employee full tunnel
Vendors
Employee start-before-login

93meehanlj · ‎07-22-2022

What URL did you use in the SSO config on the FTD?

I've been playing with all the combinations of configuring this and can can't get it to work.

Josh Morris · ‎07-22-2022

The base URL is the URL we use is basically the alias. vpn.domain.com
The SSO URL is the 'Login URL' in your Azure SSO settings page
The Logout URL is the 'Logout URL' in your Azure SSO settings page
The Identity Provider ID is the 'Azure AD Identifier' in your Azure SSO settings page
Then you'll need a certificate generated by Azure SSO that you'll load in FMC and apply in the single sign-on profile

93meehanlj · ‎07-25-2022

Ah. We have a slightly different issue whereby we are running is across multiple sites, so different URLs for different public IP's. As the base URL needs to be the in the config, we're stuck.

Josh Morris · ‎07-25-2022

Yeah, this was one reason why we consolidated all URLs into a single one and used /profilename instead. I haven't tried, but can you have a different SSO profile per?

keith wick · ‎08-16-2022

Josh - Any chance you could elaborate on this further? This would help me immensely but I'm not sure I see what you are doing or how this gets around the "you can't have multiple SAML objects with the same SAML entityID" the FTD forces upon us?

Josh Morris · ‎08-17-2022

Maybe this will help. This shows the authentication process. Upon successful authentication, authorization happens between FMC and ISE. I think the key here is that you can create a single SSO object in FMC and use that data in Azure, but you can create different Azure SSO profile based on the connection profile name...