cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2422
Views
1
Helpful
3
Replies

SSO with Anyconnect SAML Authentication with Cisco ASA vs. Keycloak

I'm trying to implement SAML Authentication for a certain Tunnel Group for Cisco Anyconnect. The Identity Provider is Keycloak being set up from another vendor and actively being used by other SSO Service Providers (clients). I was using Configure a SAML 2.0 Identity Provider (IdP) as configuration aide.

Keycloak is located in a network segment directly attached to the ASA; a DMZ with external IP addresses. The Keycloak-server can be reached from external clients: access-lists allow http(s) access from outside.

Versions involved:

  • ASA 9.16(3)23
  • Anyconnect 4.10.06079

ASA-Configuration

  • I've successfully imported the certificate from the IDP into a new trustpoint.
  • Configuration excerpt:
    webvpn
    saml idp https://auth.redacted-group.com/realms/redacted
     url sign-in https://auth.redacted-group.com/realms/redacted/protocol/saml
     url sign-out https://auth.redacted-group.com/realms/redacted/protocol/saml
     trustpoint idp saml-server-cert
     trustpoint sp local-certificate
     signature rsa-sha256
    !
    tunnel-group SAML_CUS webvpn-attributes
     authentication saml
     group-alias SAML_CUS enable
     saml identity-provider https://auth.redacted-group.com/realms/redacted
  • The IdP (Keycloak) could then access the URL revealing the SAML configuration presented by the ASA for the IdP (https://ASA-IP/saml/sp/metadata/tunnel-group-name).

Error message

The customer says, it's not working. I've tried connecting with an Apple iOS device (iPad) with the latest available AnyConnect client installed. This shows the error message "Authentication failed due to problem navigating to the single sign-on URL." - the same error message the customer was getting.

More detailed error messages from the Anyconnect log are documented in the screen shot I've attached. They basically reinforce that the IdP can't be contacted. I get no (related) output when using "debug webvpn saml 255" on the ASA. I was unable to track down a comprehensive explanation about "kCFErrorDomainCFNetwork Code" -1004.

Trying to access that URL with a normal browser from the same Anyconnect-failing device successfully establishes a redirect to the Keycloak Server. On a side note, this doesn't work when I add "internal" to the IdP configuration and have included the DMZ network into split-tunneling at the same time. Not sure if this is related, though.

I'm currently at a loss understanding what's going wrong and how to establish a more solid understanding to eventually make SSO work for the customer. Hints are well appreciated.

 

1 Accepted Solution

Accepted Solutions

Got it to run with two changes:

  • Referencing URLs in Keycloak must be changed to https instead of http
  • The base-url-parameter in the IdP-configuration in the ASA seems to be mandatory
base-url https://asa.external.dns.name.goes.here

View solution in original post

3 Replies 3

Got it to run with two changes:

  • Referencing URLs in Keycloak must be changed to https instead of http
  • The base-url-parameter in the IdP-configuration in the ASA seems to be mandatory
base-url https://asa.external.dns.name.goes.here

Would you mind sharing the Keycloak Configuration. I use your Config on the ASA and i am redirected to Keycloak where I can Log On, but after Logon the Client gives me the Message of "The Cookie can not be used". I suppose a problem between Keycloak and ASA.

For testing purposes, i also use group-url in the tunnel-group webvpn-attributes but I dont't think, that should be any kind of a problem.

Unfortunately, I can't. The Keycloak installation is managed by a 3rd party vendor and I don't have access. Sorry!