Solved: Re: IDP Metadata

Paweł Kordysz · ‎01-20-2023

Hi,

I have Firepower 1140, which is managed by FDM, I trying to setup anyconnect VPN login with SAML Azure, but we have problem with IDP Metadata - ours profiles don't creates IDP metadata, I check it with: show saml metadata ProfileName and result is:

SP Metadata
-----------

IDP Metadata
-----------

So I think the IDP metadata doesn't exist - so how to create or generate?

JP Miranda Z · ‎01-23-2023

Mateusz Matracki,

The command you need to run is:

show saml metadata SD

Hope this helps!

Please rate if this was somehow useful!

-JP-

View solution in original post

Paweł Kordysz · ‎01-27-2023

We somehow find a way to solve this problem, we need to generate a certificate with CA=trust

View solution in original post

Paweł Kordysz · ‎01-20-2023

I think your comment is not for this post

JP Miranda Z · ‎01-22-2023

Hi Mateusz Matracki

I will recommend you check the following guide:

https://community.cisco.com/t5/security-knowledge-base/configure-anyconnect-with-saml-authentication-on-ftd-managed-via/ta-p/4467779

there you can find all the necessary steps to get SAML working on FDM, keep in mind FDM officially only supports SAML with DUO because of the following limitation:

CSCvu95526

You can confirm in Azure to see if you can get a certificate from them that contains the ca-flag in order to avoid the limitation.

Hope this helps!

Please rate if this was somehow useful!

-JP-

Paweł Kordysz · ‎01-23-2023

Thank you for your reply. I configured by this guide, but I have no data on step 11 - in guide

show saml metadata SAML_TG

given metadata for profile, When I run this command I see:

SP Metadata
-----------

IDP Metadata
-----------

Marvin Rhoads · ‎01-23-2023

Make sure your tunnel-group name is entered with case sensitive spelling matching the definition in the running-config.

If you are able, please share the output of:

show running-config webvpn

show running-config tunnel-group <TG-name>

Paweł Kordysz · ‎01-23-2023

Here is the output

> show running-config webvpn
webvpn
enable outside
http-headers
hsts-server
enable
max-age 31536000
include-sub-domains
no preload
hsts-client
enable
x-content-type-options
x-xss-protection
content-security-policy
anyconnect image disk0:/anyconnpkgs/anyconnect-linux64
anyconnect image disk0:/anyconnpkgs/anyconnect-win
anyconnect image disk0:/anyconnpkgs/anyconnect-macos
anyconnect profiles defaultClientProfile disk0:/anyconncprofs/
anyconnect enable
saml idp https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxxxx
url sign-in https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxxx
url sign-out https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxx
base-url https://vpn.xxxxxxxxxxxxxxxxxxx.pl
trustpoint idp Azure_SAML
trustpoint sp xxxxxx_xxx
no signature
force re-authentication
tunnel-group-list enable
cache
disable
error-recovery disable
> show running-config tunnel-group SD
tunnel-group SD type remote-access
tunnel-group SD general-attributes
address-pool SD_VPN_POOL
default-group-policy ServiceDesk
tunnel-group SD webvpn-attributes
authentication saml
group-alias SD enable
saml identity-provider https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

JP Miranda Z · ‎01-23-2023

Mateusz Matracki,

The command you need to run is:

show saml metadata SD

Hope this helps!

Please rate if this was somehow useful!

-JP-

Paweł Kordysz · ‎01-27-2023

We somehow find a way to solve this problem, we need to generate a certificate with CA=trust