SAML IdP Certificate Error for FTD Running 7.0.1 Managed by FDM

ABaker94985 · ‎08-08-2022

I can't seem to overcome the following error when configuring AnyConnect with SAML according to https://community.cisco.com/t5/security-knowledge-base/configure-anyconnect-with-saml-authentication-on-ftd-managed-via/ta-p/4467779:

Deployment Failed: User (blah) Triggered Deployment
ERROR: SAML IDP certificate failed
Config Error -- saml identity-provider https://sts.windows.net/#########-####-####-####-####

I found some documentation that stated DUO was the only supported SAML server, but that was for 6.7.0. I found other documentation that said it was supported on 7.0.1, which we're running. If I do a Google search for "ERROR: SAML IDP certificate failed" using quotes, there's only two responses. I can't figure out what's misconfigured, and I'm not sure if this is actually supported. Can anyone offer guidance on this? Thanks

quinn · ‎11-18-2022

Did this ever get resolved?

ABaker94985 · ‎11-18-2022

I think we have an answer, but it hasn't been implemented yet. Check out https://bst.cisco.com/bugsearch/bug/CSCvu95526.

Workaround: If the IDP allows it, you can create a custom certificate with basic constraints set by adding basicConstraints=CA:true in the certificate configuration. After that, upload the custom certificate to the IDP and FDM.

If you try this and it works, do you mind responding to this? Thanks

quinn · ‎11-18-2022

Thanks for the reply. I think we're going to just wait on a new version, since we are using Office 365 MFA which provides the IDP certificate.