cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
647
Views
2
Helpful
3
Replies

Multiple Tunnel Group - ASA and Microsoft Azure AD with MFA using SAML

Hello,

I have an ASA 9.14(3)13, with a connection profile using MFA with Azure.  For this connection we have configured the SSO server SAML with the Sign in URL, Sign Out URL, Base URL, Identity Provider Certificate and Service Provider Certificate.

We need to add a new connection profile using MFA with the same Azure tenant. In this case when it's created the new instance in Azure, we got the same Sign in URL, Sign Out URL, the Base URL is the same too. But we have a new Idp certificate.

The question is how to configure this new connection profile in ASA using the new certificate for the new tunnel group.

Thanks.

3 Replies 3

Pulkit Mittal
Spotlight
Spotlight

Found answer to your scenario here, and you might run into same issue. Append the application ID.

Can two AnyConnect connection profiles use the same SAML IdP? - Cisco Community

"I have found the solution. It is not on the VPN side.

There is a function on Azure SAML, by enabling "Advanced SAML claims options" -  "Append application ID to issuer" under the VPN profile,

You can have "Application ID" under Properties. On ASA, you can use saml idp + Application ID looks like this,

webvpn

    saml idp https://sts.windows.net/{{ idp }}/{{ Application ID }}

So you can create multiple profiles for SAML auth by using different application IDs."

If you find this useful, please mark it helpful and Accept the Solution.

@Pulkit Mittal THANK YOU!!! We had the same exact problem and your solution worked perfectly!!! Thank you so much my dear friend

Glad to know that I was able to help! @R_M_$$