Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1624
Views
0
Helpful
3
Replies

How to configure multiple IdPs for anyconnect vpn

jewfcb001
Level 4
Level 4

‎09-05-2023 03:20 AM

Hi All,
I try to find document about multiple IdPs  for ASA because I found some wording in official document of Cisco Site 
"ASA can support multiple IdPs and has a separate entity ID for each IdP to differentiate them"
but in configuration of ASA under webvpn configuration can configure  "saml idp / url sign-in / url sign-out " only one configuration.

Please help me for my question.

Example : 
webvpn
saml idp https://sts.windows.net/xxxxxxxxxxxxxxxxxx/
url sign-in https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxx/saml
url sign-out https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxx/saml
base-url https://vpn.lab.com
trustpoint idp TEST-TP-IDP
trustpoint sp TEST-TP-SP
no signature
force re-authentication
timeout assertion 7200

 

 

Labels:
0 Helpful
3 Replies 3

Pavan Gundu
Cisco Employee
Cisco Employee

‎09-05-2023 05:02 PM

There is an open bug for this: https://bst.cisco.com/bugsearch/bug/CSCvi29084

And to be honest, after reading that bug I am not sure what they mean by that workaround. But I do know that using a wildcard cert for SP, IdP and on the Azure side could get your setup working.

0 Helpful

jewfcb001
Level 4
Level 4
In response to Pavan Gundu

‎09-05-2023 06:59 PM

@Pavan Gundu  Thank you for information. 
Also after I reading that bug . I don't understand  but  in configuration ASA under webvpn  as below  it's can configure only 1 Azure APP or not ? 
Please help for explain. 


saml idp https://sts.windows.net/xxxxxxxxxxxxxxxxxx/
url sign-in https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxx/saml
url sign-out https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxx/saml

0 Helpful

Pavan Gundu
Cisco Employee
Cisco Employee
In response to jewfcb001

‎09-06-2023 06:49 AM

You can create multiple applications in Azure, but for those applications you will get the same saml IdP URL, but will use different IdP certificates. Having multiple certificates for the same saml config is current not supported as per the bug. So the workarounds mentioned are:-

1. You can use same IdP certificate across all the connection profiles (in Azure) or
2. Have different entity ID for different applications you create.

I don't know if option two is possible in Azure, but option 1 is achievable

0 Helpful
Customers Also Viewed These Support Documents