Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2279
Views
0
Helpful
7
Replies

SAML IdP Certificate Error for FTD Running 7.0.1 Managed by FDM

ABaker94985
Spotlight
Spotlight

‎08-08-2022 10:36 AM

I can't seem to overcome the following error when configuring AnyConnect with SAML according to https://community.cisco.com/t5/security-knowledge-base/configure-anyconnect-with-saml-authentication-on-ftd-managed-via/ta-p/4467779:

Deployment Failed: User (blah) Triggered Deployment
ERROR: SAML IDP certificate failed
Config Error -- saml identity-provider https://sts.windows.net/#########-####-####-####-####

I found some documentation that stated DUO was the only supported SAML server, but that was for 6.7.0. I found other documentation that said it was supported on 7.0.1, which we're running. If I do a Google search for "ERROR: SAML IDP certificate failed" using quotes, there's only two responses. I can't figure out what's misconfigured, and I'm not sure if this is actually supported. Can anyone offer guidance on this? Thanks

3 people had this problem
Labels:
0 Helpful
7 Replies 7

quinn
Level 1
Level 1

‎11-18-2022 09:49 AM

Did this ever get resolved?

0 Helpful

ABaker94985
Spotlight
Spotlight

‎11-18-2022 11:48 AM

I think we have an answer, but it hasn't been implemented yet. Check out https://bst.cisco.com/bugsearch/bug/CSCvu95526

Workaround: If the IDP allows it, you can create a custom certificate with basic constraints set by adding basicConstraints=CA:true in the certificate configuration. After that, upload the custom certificate to the IDP and FDM.

If you try this and it works, do you mind responding to this? Thanks

0 Helpful

quinn
Level 1
Level 1
In response to ABaker94985

‎11-18-2022 11:51 AM

Thanks for the reply. I think we're going to just wait on a new version, since we are using Office 365 MFA which provides the IDP certificate.

0 Helpful

mchammer7
Level 1
Level 1
In response to ABaker94985

‎05-25-2023 01:23 AM

We try to configure azure MFA login with anyconnect. So do you know how to create the idp certificate in azure with this constraint ? I see no possiblity there..... 

0 Helpful

p.lan
Level 1
Level 1
In response to mchammer7

‎03-06-2024 08:06 AM

you can upload custom certs to enterprise apps in Azure. When you create a custom cert using OpenSSL, enable the flag and then upload it to Azure. 

0 Helpful

Jack G
Level 1
Level 1

‎04-17-2024 04:06 PM

found this: Configure RAVPN with SAML Authentication Using Azure as IdP on FTD Managed by FDM 7.2 and Lower - Cisco

Question is how do I sign the CSR with a Windows CA? The signed certificate appears to remove the CA:true. Do I need to use specific template with specific options?

CSR:

Attributes:
Requested Extensions:
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption

Signed cert:

X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE

0 Helpful

Jack G
Level 1
Level 1

‎04-18-2024 06:46 AM - edited ‎04-18-2024 06:47 AM

Got it to work, used a program X - Certificate and Key management to generate a self signed CA and then another certificate with CA:true. Not sure how to get it to word with a Windows CA server. I also didn't put in the FQDN for the Outside interface under the remote access configuration. This was helpful for pointing that out: Configure Anyconnect with SAML authentication on FTD managed via FDM - Cisco Community

0 Helpful
Customers Also Viewed These Support Documents