Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1761
Views
5
Helpful
4
Replies

SAML Profile using http:// when it should use https://

Go to solution
jmjh
Level 1
Level 1

‎02-18-2022 08:54 AM

I am attempting to setup Azure AD login for Cisco AnyConnect. I have setup the SAML Connection profile on the ASA, and the Cisco AnyConnect app in Azure AD. When I go to login using the profile I created for this, it goes to an http:// page. If I adjust that to an https:// page it gives me the Azure login but then after logging in I get an error saying "Application with identifier 'http://....' was not found in the directory..."

 

How do I get this profile to use https:// instead of http://?

2 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to jmjh

‎02-18-2022 11:31 PM

The SAML iDP, including the access scheme (i.e., https), is configured in the webvpn section of the ASA configuration. It should look something like this:

webvpn
  saml idp https://sts.windows.net/xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx/
  url sign-in https://login.microsoftonline.com/xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx/saml2
  url sign-out https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0
  trustpoint idp AzureAD-IDP-Trustpoint
  trustpoint sp VPN_Trustpoint
  no force re-authentication
  no signature
  base-url https://vpn.mycompany.com

In ASDM that is done under Configuration > Remote Access VPN > Clientless SSL VPN Access > Advanced > Single Signon Servers. For some reason ASDM defaults to http in that section even though no SSO server I've ever seen uses anything but https.

View solution in original post

4 Replies 4

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎02-18-2022 10:42 AM

When you modify a SAML identity provider profile you need to de-associate it from the tunnel-group (aka connection profile in ASDM) and then re-associate it for it to take effect.

Reference:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvi23605?rfs=iqvred

0 Helpful

Go to solution
jmjh
Level 1
Level 1
In response to Marvin Rhoads

‎02-18-2022 11:18 AM

Thank you but this does not resolve the issue. The problem that I am having with the profile is that it is trying to use an http:// address for the SAML identity provider when the SAML requires an https:// address. I can't see where in the profile configuration on the ASA (5516) that I can change this.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to jmjh

‎02-18-2022 11:31 PM

The SAML iDP, including the access scheme (i.e., https), is configured in the webvpn section of the ASA configuration. It should look something like this:

webvpn
  saml idp https://sts.windows.net/xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx/
  url sign-in https://login.microsoftonline.com/xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx/saml2
  url sign-out https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0
  trustpoint idp AzureAD-IDP-Trustpoint
  trustpoint sp VPN_Trustpoint
  no force re-authentication
  no signature
  base-url https://vpn.mycompany.com

In ASDM that is done under Configuration > Remote Access VPN > Clientless SSL VPN Access > Advanced > Single Signon Servers. For some reason ASDM defaults to http in that section even though no SSO server I've ever seen uses anything but https.

Go to solution
jmjh
Level 1
Level 1
In response to Marvin Rhoads

‎02-19-2022 05:44 PM

That worked! Thank you so much!

0 Helpful
Customers Also Viewed These Support Documents