SAML ERROR SIGN ON COOKIE

CiscoMedMed · ‎08-16-2022

I've been symied for weeks on this "Authentication failed due to problem retrieving the single sign-on cookie". TAC helped me track it down to a certificate mismatch. My AWS engineer generated a new cert and this time the output looks closer to my working ASA for the CN. Running debug during the login attempt I see errors: "Consume assertion: Failed to verify signature". And "SAML assertion validation failed". What exactly is attempting to match with what?

I've been using the article from DUO which is the clearest on the problem and I think I've done all these steps. But the last one is "Verify that you have deployed the correct certificate for your split-tunnel group." How exactly to do verify the *correct* certificate?

https://help.duo.com/s/article/5132?language=en_US

marce1000 · ‎08-16-2022

- FYI : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq85622

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Jimmywick · ‎08-16-2022

Restart the ASA.
Log in to the ASA via CLI and verify time by issuing the command Show Clock.
If the time is not correct, verify your NTP time sync configuration.
Set the SAML Identity provider to none, and then set it back to your configured SAML IdP.
Remove the SAML configuration from the tunnel group on the ASA, save the configuration temporarily without the SAML configuration.
Re-enable SAML Auth in tunnel group via the following commands in the CLI using your Entity ID

Regards,
J Wick