Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2494
Views
16
Helpful
6
Replies

MFA Azure SAML 'Wong URL'

richard.priest
Level 1
Level 1

‎01-27-2021 04:15 AM

Hi,

 

I've setup Anyconenct to use MFA from Azure, something I've done before without too many issues.

 

However in this instance when attempting to authenticate fia Anyconenct I get the normal authenticaiton window with 'Wrong URL'

 

If i try from a webpage I can enter my AD credentials, but when sending over the password I then get the same Wrong URL. Looks like it's when it's redirecting to https://asa//+CSCOE+/saml/sp/acs?tgname=/tunnelgroup

 

When browsing directly to the above I get the same 'wrong URL' error. I've obviously made a mistake somewhere in the config, but I can't figure out where.

 

Any pointers gratefully received!

 

Cheers

 

Rich

Labels:
0 Helpful
6 Replies 6

Josue Brenes
Cisco Employee
Cisco Employee

‎01-27-2021 11:50 AM

Hi Richard,

Are you able to share the config of the ASA? - At least the "show run webvpn".

 

Rate if it helps.

Regards,
Josue Brenes
TAC - VPN Engineer.

0 Helpful

nick.ehlers
Level 1
Level 1
In response to Josue Brenes

‎02-01-2022 08:49 AM

I'm having the same issue. 

webvpn
enable outside
hsts
enable
max-age 31536000
include-sub-domains
no preload
anyconnect image disk0:/anyconnect-win-4.10.03104-webdeploy-k9.pkg 1
anyconnect image disk0:/anyconnect-macos-4.10.03104-webdeploy-k9.pkg 2
anyconnect image disk0:/anyconnect-linux64-4.10.03104-webdeploy-k9.pkg 3
anyconnect image disk0:/anyconnect-win-arm64-4.10.03104-webdeploy-k9.pkg 4
anyconnect enable
saml idp https://sts.windows.net/ecfd017d-15bb-494b-9072-cb313101730c/
url sign-in https://login.microsoftonline.com/ecfd017d-15bb-494b-9072-cb313101730c/saml2
url sign-out https://login.microsoftonline.com/ecfd017d-15bb-494b-9072-cb313101730c/saml2
base-url https://test.domain.org.org/
trustpoint idp AzureAD-AC-SAML
trustpoint sp ASDM_TrustPoint7
no signature
no force re-authentication
cache
disable
error-recovery disable

0 Helpful

aaaaahhhhh
Level 1
Level 1
In response to nick.ehlers

‎03-17-2022 06:07 AM

I know this has been out there for a little bit, but I ran into the same issue.

 

The way I resolved was changing this line:

base-url https://test.domain.org.org/

To removing the slash at the end:

base-url https://test.domain.org.org

 

Cisco was passing the // and wasn't matching what Azure AD had.  Also Azure AD didn't like the // if put on that side.

Milos_Jovanovic
VIP Alumni
VIP Alumni

‎02-02-2022 11:20 PM

Hi @nick.ehlers,

Could you please check Azure side, and what URL you have defined in "Reply URL (Assertion Consumer Service URL)"?

I believe that the issue is not on ASA side, but rather on Azure side.

BR,

Milos

nick.ehlers
Level 1
Level 1
In response to Milos_Jovanovic

‎02-03-2022 10:53 AM

We fixed our issue. It was as simple as removing all the SAML config under "webvpn" in the running config of the ASA and then removing and re-adding everything to the tunnel-group. 

 

It was the same exact config but for someone reason removing it and adding it back again got us working 100 percent. 

Milos_Jovanovic
VIP Alumni
VIP Alumni
In response to nick.ehlers

‎02-03-2022 11:05 AM

If this was the case, then, most likely, you modified your SAML configuration at some point to the configuration you pasted here.

This is a know issue that if you want to modify some configuration in SAML iDP, you have to remove it, and to re-add it again, as modifications are not working (not sure if it is fixed in newer releases).

BR,

Milos

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents