08-08-2022 10:36 AM
I can't seem to overcome the following error when configuring AnyConnect with SAML according to https://community.cisco.com/t5/security-knowledge-base/configure-anyconnect-with-saml-authentication-on-ftd-managed-via/ta-p/4467779:
Deployment Failed: User (blah) Triggered Deployment
ERROR: SAML IDP certificate failed
Config Error -- saml identity-provider https://sts.windows.net/#########-####-####-####-####
I found some documentation that stated DUO was the only supported SAML server, but that was for 6.7.0. I found other documentation that said it was supported on 7.0.1, which we're running. If I do a Google search for "ERROR: SAML IDP certificate failed" using quotes, there's only two responses. I can't figure out what's misconfigured, and I'm not sure if this is actually supported. Can anyone offer guidance on this? Thanks
11-18-2022 09:49 AM
Did this ever get resolved?
11-18-2022 11:48 AM
I think we have an answer, but it hasn't been implemented yet. Check out https://bst.cisco.com/bugsearch/bug/CSCvu95526.
Workaround: If the IDP allows it, you can create a custom certificate with basic constraints set by adding basicConstraints=CA:true in the certificate configuration. After that, upload the custom certificate to the IDP and FDM.
If you try this and it works, do you mind responding to this? Thanks
11-18-2022 11:51 AM
Thanks for the reply. I think we're going to just wait on a new version, since we are using Office 365 MFA which provides the IDP certificate.
05-25-2023 01:23 AM
We try to configure azure MFA login with anyconnect. So do you know how to create the idp certificate in azure with this constraint ? I see no possiblity there.....
03-06-2024 08:06 AM
you can upload custom certs to enterprise apps in Azure. When you create a custom cert using OpenSSL, enable the flag and then upload it to Azure.
04-17-2024 04:06 PM
found this: Configure RAVPN with SAML Authentication Using Azure as IdP on FTD Managed by FDM 7.2 and Lower - Cisco
Question is how do I sign the CSR with a Windows CA? The signed certificate appears to remove the CA:true. Do I need to use specific template with specific options?
CSR:
Attributes:
Requested Extensions:
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
Signed cert:
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
04-18-2024 06:46 AM - edited 04-18-2024 06:47 AM
Got it to work, used a program X - Certificate and Key management to generate a self signed CA and then another certificate with CA:true. Not sure how to get it to word with a Windows CA server. I also didn't put in the FQDN for the Outside interface under the remote access configuration. This was helpful for pointing that out: Configure Anyconnect with SAML authentication on FTD managed via FDM - Cisco Community
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide