03-11-2024 08:50 AM
Hello,
I have an ASA 9.14(3)13, with a connection profile using MFA with Azure. For this connection we have configured the SSO server SAML with the Sign in URL, Sign Out URL, Base URL, Identity Provider Certificate and Service Provider Certificate.
We need to add a new connection profile using MFA with the same Azure tenant. In this case when it's created the new instance in Azure, we got the same Sign in URL, Sign Out URL, the Base URL is the same too. But we have a new Idp certificate.
The question is how to configure this new connection profile in ASA using the new certificate for the new tunnel group.
Thanks.
03-11-2024 08:30 PM
Found answer to your scenario here, and you might run into same issue. Append the application ID.
Can two AnyConnect connection profiles use the same SAML IdP? - Cisco Community
"I have found the solution. It is not on the VPN side.
There is a function on Azure SAML, by enabling "Advanced SAML claims options" - "Append application ID to issuer" under the VPN profile,
You can have "Application ID" under Properties. On ASA, you can use saml idp + Application ID looks like this,
webvpn
saml idp https://sts.windows.net/{{ idp }}/{{ Application ID }}
So you can create multiple profiles for SAML auth by using different application IDs."
If you find this useful, please mark it helpful and Accept the Solution.
09-26-2024 03:09 AM
@Pulkit Mittal THANK YOU!!! We had the same exact problem and your solution worked perfectly!!! Thank you so much my dear friend
10-03-2024 06:56 PM
Glad to know that I was able to help! @R_M_$$
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide