I'm trying to implement SAML Authentication for a certain Tunnel Group for Cisco Anyconnect. The Identity Provider is Keycloak being set up from another vendor and actively being used by other SSO Service Providers (clients). I was using Configure a SAML 2.0 Identity Provider (IdP) as configuration aide.
Keycloak is located in a network segment directly attached to the ASA; a DMZ with external IP addresses. The Keycloak-server can be reached from external clients: access-lists allow http(s) access from outside.
webvpn saml idp https://auth.redacted-group.com/realms/redacted url sign-in https://auth.redacted-group.com/realms/redacted/protocol/saml url sign-out https://auth.redacted-group.com/realms/redacted/protocol/saml trustpoint idp saml-server-cert trustpoint sp local-certificate signature rsa-sha256 ! tunnel-group SAML_CUS webvpn-attributes authentication saml group-alias SAML_CUS enable saml identity-provider https://auth.redacted-group.com/realms/redacted
The customer says, it's not working. I've tried connecting with an Apple iOS device (iPad) with the latest available AnyConnect client installed. This shows the error message "Authentication failed due to problem navigating to the single sign-on URL." - the same error message the customer was getting.
More detailed error messages from the Anyconnect log are documented in the screen shot I've attached. They basically reinforce that the IdP can't be contacted. I get no (related) output when using "debug webvpn saml 255" on the ASA. I was unable to track down a comprehensive explanation about "kCFErrorDomainCFNetwork Code" -1004.
Trying to access that URL with a normal browser from the same Anyconnect-failing device successfully establishes a redirect to the Keycloak Server. On a side note, this doesn't work when I add "internal" to the IdP configuration and have included the DMZ network into split-tunneling at the same time. Not sure if this is related, though.
I'm currently at a loss understanding what's going wrong and how to establish a more solid understanding to eventually make SSO work for the customer. Hints are well appreciated.
Solved! Go to Solution.
Would you mind sharing the Keycloak Configuration. I use your Config on the ASA and i am redirected to Keycloak where I can Log On, but after Logon the Client gives me the Message of "The Cookie can not be used". I suppose a problem between Keycloak and ASA.
For testing purposes, i also use group-url in the tunnel-group webvpn-attributes but I dont't think, that should be any kind of a problem.