Saml for Cisco Asa in Load Balancing Group
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-10-2023 11:38 AM
Hi! I have two CIsco Asa versions 9.18.2 combined into a balancing group. For example:
FQDN of the first node vpn-gw1.example.com
FQDN of the second node vpn-gw2.example.com
General address vpn.example.com
When setting up multi-factor authentication SAML in the Base Url line, I enter "vpn.example.com " there is a problem "Failed to generate SAML AuthnRequest.
Please tell me how to configure Cisco asa correctly to work Load Balancing SAML, which appeared with ASA version 9.17.1 .
Or will it be the right solution if there are two applications on the IDP server side for each ASA node?
- Labels:
-
AnyConnect
-
VPN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-10-2023 01:36 PM
check the enhancement bug, i am sure it might have been fixed in your version.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-10-2023 10:53 PM
Hi, thanks for the link, I recently specifically updated my Cisco Asa to version 9.18.2, since Saml Load Balancing support appears in versions older than 9.17.1 - based on Release Notes. But the update did not give a result. Therefore, I decided to write here, maybe someone has already solved this problem.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-11-2023 02:17 AM
sure and wait for other mates to reply, if this is a pressing issue, contact TAC for the correct answer.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-13-2023 01:04 AM
Hi @kirillsanin48,
You'll have to configure 2 applications on IDP server side, as ACS (Assertion Consumer Service, URL to which IDP should reply back) has to be unique, and has to be FQDN of your devices (in your case vpn-gw1.example.com and vpn-gw2.example.com).
Also, please correct base URL to reflect the same - it has to be unique per device.
Finally, there was a bug by which no modification of SAML config was possible, once you type 'exit', so if you need to modify it, you'd need to remove it completely and redo it again, this time with everything you need.
I've been using SSO with VPN load-balancing since 9.12, and never had any issues with SSO so far.
Kind regards,
Milos
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-13-2023 04:29 AM
Hi, thanks for the reply.
I probably misunderstood the meaning of Load Balancing SAML. I thought that the functionality of using a single Load Balancing Group address in the Base Url would appear.
Most likely, it meant simply distributing SAML authentication requests across different nodes.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-25-2023 06:19 AM - edited 05-25-2023 06:20 AM
@Milos_Jovanovic I'm posting as a reply to this thread as my issue is quite similar.
I am trying to add a "backup server" to an existing working remote access VPN on FTD 7.0.5 that's using SAML authentication to Azure AD. The backup is for the clients to use the secondary ISP FQDN when the primary is not available. So it is a single tunnel-group with VPN active on two interfaces (Outside-ISP1 and Outside-ISP2).
Given that it is a single tunnel-group, I can only define a single SSO server from the ASA side. Yet from the Azure iDP side the SP targets would be two unique FQDNs - e.g., vpn.company.com and vpn2.company.com in the VPN profile as shown below. That implies two enterprise application instances which would mean two SSO servers.
<ServerList>
<HostEntry>
<HostName>Company VPN</HostName>
<HostAddress>vpn.company.com</HostAddress>
<BackupServerList>
<HostAddress>vpn2.company.com</HostAddress>
</BackupServerList>
</HostEntry>
</ServerList>
How would we make this work?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-26-2023 05:30 AM
Hey @Marvin Rhoads,
From my standpoint, your case is quite different than one described
With VPN LB, we have multiple FQDNs but terminating on different devices. With your case, we have multiple FQDNs, but all are on same device, which is not convenient.
When you configure SAML IdP, you provide its name (usually Azure tenant ID), and within, you provide base URL (which is your FQDN). To my best knowledge (and I haven't checked or tested this), you can have exactly single base URL, as this is where assertion token will be forwarded from Azure (so ASA is expecting it on this URL).Something like:
saml idp https://sts.windows.net/XXXXX/
url sign-in https://login.microsoftonline.com/XXXXX/saml2
url sign-out https://login.microsoftonline.com/XXXXX/saml2
base-url https://myfqdn1.mydomain.com
trustpoint idp XXXX ---- CertFromAzure
trustpoint sp XXXX ---- Whatever is used under "show run ssl"
no signature
no force re-authentication
timeout assertion 600
!
If you have multiple URLs, you would need to configure it as multiple base URLs on ASA. As I said, I believe it is not possible to do this under same SAML IdP config. In theory, you could create another SAML IdP (which would also mean you need two tunnel-groups, to invoke different IdPs), with different name (dummy name, as it is just name, right?
Having said that, I would not go down this road, as it is too complex from my standpoint. I would rather rely on DNS change (keep FQDN on primary ISP, with short TTL and change to second ISP in case of a need). I know it is manual job, and hardly redundancy, but I don't really have good solution for mentioned usecase.
Regards,
Milos
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-07-2023 09:40 AM
Hi folks,
I create a blog post describing 3 different methods to get SAML to work with DNS load balancing: https://securityccie.net/2023/08/07/asa-dns-load-balancing-with-saml/
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-19-2023 03:09 AM
@vibobrov
Hi ,
I will implemented anyconnect saml authentication with Load Balancing FQDN . I see your blog It's help full ,
But I have a small question, My understanding is If I running asa below 9.18 I need to configure
Azure AD each ASA Application or not and If I running asa version 9.18 can I use command "local-base-url" and
IN Azure AD configuration can configure only 1 application for asa . Am I correct ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-19-2023 05:58 AM
@jewfcb001. It turned out that the local-base-url feature was added in 9.18.3, not the first release of 9.18.
Prior to that version, you have to define each ASA appliance as an application in Azure AD.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-19-2023 06:02 AM
@vibobrov
Thank you for response. and Global URL can we do in GSLB ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-19-2023 08:27 AM
@jewfcb001, all solutions listed in my blog allow you to use a global URL. You would just need to pick which one makes the most sense in your environment. Realistically speaking, if you don't already utilize VPN Load balancing, the second solution would probably be the easiest to implement: https://securityccie.net/2023/08/07/asa-dns-load-balancing-with-saml/#Base-URL_Manipulation. I've implemented it at a customer a couple of months ago and it is working well.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-19-2023 08:14 PM
@vibobrov
Thank you for answer . In your blog "With VPN Load balancing, a set of ASA firewalls are configured to share a common VIP address. All firewalls must share the same outside or public subnet."
Is this function from Load Balance ?
If I need to configure VPN Load balancing and share VIP Address from your example .
configuration on Firewall for outside interface Do i need to configure IP same subnet with other asa ?
As below My understand correct ? Please help me.
Example
ASA-1 outside interface IP 192.168.1.1 255.255.255.0
ASA-2 outside interface IP : 192.168.1.2 255.255.255.0
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-20-2023 05:57 AM
Yes, all ASA's that are a part of VPN load balancing need to be on the same outside subnet. This is one of a few posts about VPN load balancing: https://integratingit.wordpress.com/2020/03/14/asa-vpn-load-balancing/
