Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
20831
Views
26
Helpful
6
Comments

Anyconnect VPN SAML SSO with Azure IdP, Multi-Tunnel Groups

nathan.browning
Level 1
Level 1

on ‎03-03-2022 07:16 AM

Symptoms

I had incredible difficulty locating details and even vendor support surrounding setting up Azure SSO to service anyconnect connectivity with multiple tunnel groups. So thought I'd potentially help by documenting the fix

Diagnosis

After following the microsoft or cisco community documentation for SAML SSO setup with anyconnect/ASA:

Tutorial: Azure Active Directory single sign-on (SSO) integration with Cisco AnyConnect | Microsoft Docs

However, at the point of registering the Identity URL. DO NOT make the same mistake and assumption of adding the additional Tunnel Group URLs to the identity and reply URLs, The last entry in the URL list will succeed but the other profiles will fail and lead to the following error on client side:

MicrosoftTeams-image (4).png

Solution


Pre-Requisites

- Create separate enterprise apps for each tunnel group <TunnelGroupName>

CiscoAnyconnect-apps.png

- External SSL Certificate for your domain registered for anyconnect  (I had a wildcard cert for this)


Azure config:

- Follow guide, for each created app for each tunnel group:

 Tutorial: Azure Active Directory single sign-on (SSO) integration with Cisco AnyConnect | Microsoft Docs

until this point:

anyconnect-cert.png

- Click Edit

anyconnect-certedit.png

- Select import Cert:

anyconnect-importcert.png
- Select your cert and enter passphrase (must be PFX format), Click Add

anyconnect-importcertpass.png

- Activate Certificate:

anyconnect-activatecert.png
NOTE: Certifate for each app must all be the same


ASA Config:

  1. You are going to do this on the CLI first, you might come back through and do an ASDM walk-through at another time.

  2. Connect to your VPN Appliance, you are going to be using an ASA running 9.8 code train, and your VPN clients will be 4.6+.

  3. First you will create a Trustpoint and import our SAML cert.

     config t

 crypto ca trustpoint AzureAD-AC-SAML
   revocation-check none
   no id-usage
   enrollment terminal
   no ca-check
 crypto ca authenticate AzureAD-AC-SAML
 -----BEGIN CERTIFICATE-----
 …
 PEM Certificate Text from download goes here
 …
 -----END CERTIFICATE-----
 quit

  4. The following commands will provision your SAML IdP.

     

     webvpn
 saml idp https://sts.windows.net/xxxxxxxxxxxxx/ (This is your Azure AD Identifier from the Set up Cisco AnyConnect section in the Azure portal)
 url sign-in https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxxx/saml2 (This is your Login URL from the Set up Cisco AnyConnect section in the Azure portal)
 url sign-out https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0 (This is Logout URL from the Set up Cisco AnyConnect section in the Azure portal)
 trustpoint idp AzureAD-AC-SAML
 trustpoint sp (Trustpoint for SAML Requests - you can use your existing external cert here)
 no force re-authentication
 no signature
 base-url https://my.asa.com

  5. Now you can apply SAML Authentication to a VPN Tunnel Configuration.

     

     

    tunnel-group AC-SAML webvpn-attributes
  saml identity-provider https://sts.windows.net/xxxxxxxxxxxxx/
  authentication saml
end

write mem
Labels:
Comments
MaErre21325
Level 1
Level 1
‎02-20-2023 03:19 AM

Hello @nathan.browning ,

Ii this working with firepower 2100?
Am i obligated to use one anyconnect app per tunnel group or can be used only one app modifying the entity id string and reply URL on azure?

MaErre21325
Level 1
Level 1
‎02-22-2023 07:42 AM

Hello,
i've tried your procedure and worked!!!! thank you man! you saved me

 

jseaman4f
Level 1
Level 1
‎08-17-2023 09:28 AM

This was super helpful. Something to note is that you need to create your own PFX certificate which you can use in Azure AD Signing Certificate for all Enterprise App SAML configs.

dmills488
Level 1
Level 1
‎10-03-2023 05:17 AM

I believe the need for multiple Azure IdP apps would be prevented once this bug is fixed:

CSCvu23053

CSCwb66890

Ivan Marinovic
Level 1
Level 1
‎10-12-2023 06:11 AM

Hello @nathan.browning ,

can someone explain more part about the certificate?

- External SSL Certificate for your domain registered for anyconnect  (I had a wildcard cert for this)

What certificate did you use? wildcard for your organization or selfsignecertificate?


Best regards,
Ivan

ethantaylor
Level 1
Level 1
‎01-25-2024 11:17 AM

Hello,

So, I've been trying to get this to work and I've been running into issues. I've followed this guide, which is great btw, and when I go to test it I get an error saying that the application with identifier was not found. We have four tunnel groups and have our group urls set up as 'https://subdomain.domain.com',  if I don't add a base-url it looks for 'http://fqdn/saml...' and when I do add a base-url it looks for 'https://domain.com/saml...'. I have the config in Azure set up just like it shows in this guide and I have verified that the URLs are upper/lowercase where needed and using https, I have users assigned to the tunnel group that I'm testing, and have checked the saml metadata on the ASA which has the incorrect URL (http://fqdn/saml...). I'm obviously missing something simple. We're using a FirePower 2110 FTD with ASA 9.14 installed managed by ASDM and using Microsoft Authenticator for MFA.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents