Hello everyone, I'm currently troubleshooting AnyConnect SAML SSO via Azure. Below are some details about the environment and current troubleshooting steps that have been taken so far. The goal is to have users authenticate with their Entra credentials and later implement a CA policy for MFA once we verify it's working.

For the environment:

Access to the VPN is through the AnyConnect client and AD credentials are currently used. This is a hybrid environment and Entra Connect is being utilized. In the ASDM, we have 1 tunnel group that is using AAA authentication and points to a AAA server group. I followed documentation directly provided from Microsoft and Cisco on how to configure SSO for AnyConnect.

Our current issue:

When I apply the SAML authentication method and add the SAML server to the tunnel group, we receive an error stating "Authentication failed due to problem navigating to the single sign-on URL" when attempting to login through the AnyConnect client. This seems like a rather simple error to search for, but I am unable to find anything on this issue other than Cisco having a known bug for SSO configurations. When I test SSO on the Azure side, the results are as follows:

"Microsoft Entra ID successfully issued a token (SAML response) to the application (service provider). If you still can’t access the application you need to contact the software vendor and share the information below"

Troubleshooting steps that have been taken:

I've verified the clock for the ASA is synced, I've recreated the SAML server and verified the URLs pulled from Azure are added correctly to the SAML server.

I've also recreated the entire process which would include: removing the old Base64 certificate, deleting the SAML server, and deleting the app registration from Azure. Then I reregistered the app, added the new Base64 cert, and created the SAML server but with the new URLs.

If anyone has had this issue or know what the cause may be, it would be great to get some help on this, thank you.