Solved: SAML 404 not found issue

peat · ‎06-25-2025

Im trying to configure RSA SAML auth on our anyconnect VPN which was working fine with local users.

Its working fine on the clientless webvpn. It will authenticate no problem but it wont go through on anyconnect.

I connect on anyconnect and it brings up the RSA login page. I get through that and then the 2fa page but soon as the 2fa is put in the same secure client browser just shows a black screen with 404 not found. (sometimes just a black page)

Ive changed my time on the ASA to match the time on the RSA side of things just in case it was a time issue (CEST instead of BST) and I know that the RSA side has both the reply urls in for clientless and anyconnect.

Does the reply url need to be put in the ASA somewhere? I am using ASDM and couldnt find where it could go. Only a logoff url which i guess isnt the same thing.

Ive also done debug webvpn saml when trying to connect but it only shows this and doesnt show anything at the point of the 404 error coming up.

FPR1010# debug webvpn saml 255
INFO: debug webvpn saml enabled at level 255.
FPR1010# [SAML] Using ephemeral key to generate relay hash:
Jun 25 11:05:06 [Lasso] func=xmlSecKeyDuplicate:file=keys.c:line=621:obj=unknown :subj=key != NULL:error=100:assertion:

Jun 25 11:05:06
[SAML] build_authnrequest:
https://xxxxxxxxx.auth-eu.securid.com/sso/saml/c2639e9e-xxxxxxxxxxxx
[SAML] saml_is_idp_internal: getting SAML config for tg DefaultWEBVPNGroup

FPR1010# no debug all

I've just noticed on the debug its pulling the wrong connection profile (defaultWEBVPNGroup). I've tried turning SAML off for that connection profile but then the RSA login page doesnt load.

Does anyone know how to fix this issue?

peat · ‎06-26-2025

This is now fixed. in case anyone looks at this in future.

I found that the clientless web vpn had stopped working so RSA changed the order of the two ACS on their side back (CSCOE first and webvpn second) and clientless and anyconnect started working. Interestingly this was the order they were originally on when anyconnect didnt work so not sure what fixed my issue.

View solution in original post

peat · ‎06-25-2025

For additional info as i am trying to fix the issue at the same time. I got the connection profile list to show up so i was able to manually select the correct profile but it still gives me a 404 error once then next time i try to connect i just get a black screen.

INFO: debug webvpn saml enabled at level 255.
FPR1010# [SAML] Using ephemeral key to generate relay hash:
Jun 25 11:48:17
[SAML] build_authnrequest:
https://xxxxxxxx.auth-eu.securid.com/sso/saml/c2639e9e-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
[SAML] saml_is_idp_internal: getting SAML config for tg XXXVPN
[SAML] Using ephemeral key to generate relay hash:
Jun 25 11:48:20
[SAML] build_authnrequest:
https://xxxxxx.auth-eu.securid.com/sso/saml/c2639e9e- xxxxxxxxxxxxxxxxxxxxxxxxxx
[SAML] saml_is_idp_internal: getting SAML config for tg XXXVPN

peat · ‎06-25-2025

For info this is the debug from the webvpn

FPR1010# debug webvpn 255
INFO: debug webvpn enabled at level 255.
FPR1010# Public archive directives retrieved from cache for index 1.
webvpn_allocate_auth_struct: net_handle = 0x00007f952bf78260
len1/29 < len2/1030
length of new buffer 0x00007f94c5d06c80 is 1059/509 prefix left=298
webvpn_auth.c:webvpn_auth[730]
WebVPN: no cookie present!!
webvpn_free_auth_struct: net_handle = 0x00007f952bf78260
webvpn_allocate_auth_struct: net_handle = 0x00007f952bf78260
webvpn_free_auth_struct: net_handle = 0x00007f952bf78260

peat · ‎06-26-2025

This is now fixed. in case anyone looks at this in future.

I found that the clientless web vpn had stopped working so RSA changed the order of the two ACS on their side back (CSCOE first and webvpn second) and clientless and anyconnect started working. Interestingly this was the order they were originally on when anyconnect didnt work so not sure what fixed my issue.