cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2988
Views
16
Helpful
6
Replies

MFA Azure SAML 'Wong URL'

richard.priest
Level 1
Level 1

Hi,

 

I've setup Anyconenct to use MFA from Azure, something I've done before without too many issues.

 

However in this instance when attempting to authenticate fia Anyconenct I get the normal authenticaiton window with 'Wrong URL'

 

If i try from a webpage I can enter my AD credentials, but when sending over the password I then get the same Wrong URL. Looks like it's when it's redirecting to https://asa//+CSCOE+/saml/sp/acs?tgname=/tunnelgroup

 

When browsing directly to the above I get the same 'wrong URL' error. I've obviously made a mistake somewhere in the config, but I can't figure out where.

 

Any pointers gratefully received!

 

Cheers

 

Rich

6 Replies 6

Josue Brenes
Cisco Employee
Cisco Employee

Hi Richard,

Are you able to share the config of the ASA? - At least the "show run webvpn".

 

Rate if it helps.

Regards,
Josue Brenes
TAC - VPN Engineer.

I'm having the same issue. 

webvpn
enable outside
hsts
enable
max-age 31536000
include-sub-domains
no preload
anyconnect image disk0:/anyconnect-win-4.10.03104-webdeploy-k9.pkg 1
anyconnect image disk0:/anyconnect-macos-4.10.03104-webdeploy-k9.pkg 2
anyconnect image disk0:/anyconnect-linux64-4.10.03104-webdeploy-k9.pkg 3
anyconnect image disk0:/anyconnect-win-arm64-4.10.03104-webdeploy-k9.pkg 4
anyconnect enable
saml idp https://sts.windows.net/ecfd017d-15bb-494b-9072-cb313101730c/
url sign-in https://login.microsoftonline.com/ecfd017d-15bb-494b-9072-cb313101730c/saml2
url sign-out https://login.microsoftonline.com/ecfd017d-15bb-494b-9072-cb313101730c/saml2
base-url https://test.domain.org.org/
trustpoint idp AzureAD-AC-SAML
trustpoint sp ASDM_TrustPoint7
no signature
no force re-authentication
cache
disable
error-recovery disable

I know this has been out there for a little bit, but I ran into the same issue.

 

The way I resolved was changing this line:

base-url https://test.domain.org.org/

To removing the slash at the end:

base-url https://test.domain.org.org

 

Cisco was passing the // and wasn't matching what Azure AD had.  Also Azure AD didn't like the // if put on that side.

Milos_Jovanovic
VIP Alumni
VIP Alumni

Hi @nick.ehlers,

Could you please check Azure side, and what URL you have defined in "Reply URL (Assertion Consumer Service URL)"?

I believe that the issue is not on ASA side, but rather on Azure side.

BR,

Milos

We fixed our issue. It was as simple as removing all the SAML config under "webvpn" in the running config of the ASA and then removing and re-adding everything to the tunnel-group. 

 

It was the same exact config but for someone reason removing it and adding it back again got us working 100 percent. 

If this was the case, then, most likely, you modified your SAML configuration at some point to the configuration you pasted here.

This is a know issue that if you want to modify some configuration in SAML iDP, you have to remove it, and to re-add it again, as modifications are not working (not sure if it is fixed in newer releases).

BR,

Milos