Solved: SSO with Anyconnect SAML Authentication with Cisco ASA vs. Keycloak

Mathias Peter IT · ‎04-24-2023

I'm trying to implement SAML Authentication for a certain Tunnel Group for Cisco Anyconnect. The Identity Provider is Keycloak being set up from another vendor and actively being used by other SSO Service Providers (clients). I was using Configure a SAML 2.0 Identity Provider (IdP) as configuration aide.

Keycloak is located in a network segment directly attached to the ASA; a DMZ with external IP addresses. The Keycloak-server can be reached from external clients: access-lists allow http(s) access from outside.

Versions involved:

ASA 9.16(3)23
Anyconnect 4.10.06079

ASA-Configuration

I've successfully imported the certificate from the IDP into a new trustpoint.

Configuration excerpt:

webvpn
saml idp https://auth.redacted-group.com/realms/redacted
 url sign-in https://auth.redacted-group.com/realms/redacted/protocol/saml
 url sign-out https://auth.redacted-group.com/realms/redacted/protocol/saml
 trustpoint idp saml-server-cert
 trustpoint sp local-certificate
 signature rsa-sha256
!
tunnel-group SAML_CUS webvpn-attributes
 authentication saml
 group-alias SAML_CUS enable
 saml identity-provider https://auth.redacted-group.com/realms/redacted

The IdP (Keycloak) could then access the URL revealing the SAML configuration presented by the ASA for the IdP (https://ASA-IP/saml/sp/metadata/tunnel-group-name).

Error message

The customer says, it's not working. I've tried connecting with an Apple iOS device (iPad) with the latest available AnyConnect client installed. This shows the error message "Authentication failed due to problem navigating to the single sign-on URL." - the same error message the customer was getting.

More detailed error messages from the Anyconnect log are documented in the screen shot I've attached. They basically reinforce that the IdP can't be contacted. I get no (related) output when using "debug webvpn saml 255" on the ASA. I was unable to track down a comprehensive explanation about "kCFErrorDomainCFNetwork Code" -1004.

Trying to access that URL with a normal browser from the same Anyconnect-failing device successfully establishes a redirect to the Keycloak Server. On a side note, this doesn't work when I add "internal" to the IdP configuration and have included the DMZ network into split-tunneling at the same time. Not sure if this is related, though.

I'm currently at a loss understanding what's going wrong and how to establish a more solid understanding to eventually make SSO work for the customer. Hints are well appreciated.

Mathias Peter IT · ‎04-25-2023

Got it to run with two changes:

Referencing URLs in Keycloak must be changed to https instead of http
The base-url-parameter in the IdP-configuration in the ASA seems to be mandatory

base-url https://asa.external.dns.name.goes.here

View solution in original post

Mathias Peter IT · ‎04-25-2023

Got it to run with two changes:

Referencing URLs in Keycloak must be changed to https instead of http
The base-url-parameter in the IdP-configuration in the ASA seems to be mandatory

base-url https://asa.external.dns.name.goes.here

ZeJoseFromEurope · ‎06-21-2023

Would you mind sharing the Keycloak Configuration. I use your Config on the ASA and i am redirected to Keycloak where I can Log On, but after Logon the Client gives me the Message of "The Cookie can not be used". I suppose a problem between Keycloak and ASA.

For testing purposes, i also use group-url in the tunnel-group webvpn-attributes but I dont't think, that should be any kind of a problem.

Mathias Peter IT · ‎06-22-2023

Unfortunately, I can't. The Keycloak installation is managed by a 3rd party vendor and I don't have access. Sorry!