Re: SAML MFA AZURE and ASA

bshoja · ‎11-23-2023

I have configured the tunnel-profile the in the same way. As we well saml idp azure and truspoint the respective cert.

Only one is wokring the other one shows Authentication failed due to problem retrieving the single sign-on cookie.

I have found the below bugs

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvi23605

https://bst.cisco.com/bugsearch/bug/CSCvi29084

Is there any way to add the second cert as a truspoint into the same saml idp? I do not see any possibility, it will overright the existing one.

Is it possible that azure if we create a new app can generete the new saml idp then it will be easy to add the second truspoint cert.

Best Regards

gajownik · ‎11-27-2023

As you already found it's possible to override IdP trustpoint for a specific group with ASA 9.17+ and FTD 7.1+ (search for SAML):
https://www.cisco.com/c/en/us/td/docs/security/asa/asa917/release/notes/asarn917.html#Cisco_Reference.dita_ee9bc6d6-010e-49a1-ba73-4404f4a46408
https://www.cisco.com/c/en/us/td/docs/security/firepower/710/relnotes/firepower-release-notes-710/features.html

You can override a trustpoint under tunnel-group->webvpn:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/S/asa-command-ref-S/sa-shov-commands.html#ariaid-title5

You can't add a secondary trustpoint under the IdP settings.

If you can't upgrade a code, for example if you have really old hardware that does support newer releases, then the only workaround is to use the same trustpoint in Azure in all applications. How to manage certificates in Azure is explained here:
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/manage-certificates-for-federated-single-sign-on

bshoja · ‎11-27-2023

@gajownik one more question. In the asa 5515 version 9.12(4) is it possible to add the second saml idp,
saml idp https://sts.windows.net/{{ idp }}/{{ App ID }} - first one

saml idp https://sts.windows.net/{{ idp }}/{{ App TEST ID }} - second one

After that I can add trustpoints idp for the respective saml idp, App ID for the first one and App TEST ID for the second one.

I have tested to add one saml idp and asa will not overwrite it, the only thing that will overwrite is if we add the second trustpoint (cert) on the same saml idp.

So can I also this considere a solution?

gajownik · ‎11-28-2023

It's possible configure multiple SAML IdPs in ASA/FTD. Each tunnel group can then later use different tunnel-group for SAML authentication.

We just need to make sure that whatever you configure under "saml idp <name>" (in your example https://sts.windows.net/{{ idp }}/{{ App TEST ID }}) matches with "Azure AD Identifier". This value can be found in Step 9. under https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215935-configure-asa-anyconnect-vpn-with-micros.html

I don't know if you can tweak this value in Azure. It would be quite interesting to find out results of your tests.

Marvin Rhoads · ‎11-04-2024

I had a use case today and followed the process to add an Override Identity Provider certificate in the AAA section of the connection profile. It worked perfectly. You just need to enroll the certificate to a trustpoint on the device first from the Device Certificates page. That way it will be available from the dropdown menu in the VPN configuration.

bshoja · ‎11-27-2023

@gajownik thank you very much!

christianbernhardt2 · ‎12-18-2023

we run in the same problem with ASA5500-X with 9.16.4 which is the last available OS. So no more upgrade.

we simly created (with openssl/xca) a self-signed certficate and imported it in both azure-apps and in ASA like it is mentioned before.
The certifcate is very simple. Only a CN and no further extensions. And it works well.

But be aware of the SAML-bugs like:
CSCvi23605: Re-enable SAML to make config changes take effect
You have to reboot the machine after editing the SAML or detach/re-attach the config to the tunnel-group