Solved: Azure SAML SSO Certificate Error, Firepower 1010 - Cisco Community

225

Views

0

Helpful

4

Replies

Hi,

We are trying to implement Azure SAML SSO on our Firepower 1010.

We are using ASA 9.19.1 and Secure client 5.0.02075.

When we try the login via Azure by clicking the "Test this applicaton" the login works and there are no errors in the logs. The connection is visible in ASDM > Monitoring > VPN > VPN Statistics > Sessions.

When we try to login using the Secure client or weblogin, we are greeted with a blank page. The logs have these messages:

3

Apr 22 2024

11:07:03

717027

Certificate chain failed validation. No suitable trustpoint was found to validate chain.

3

Apr 22 2024

11:07:03

717009

Certificate validation failed. No suitable trustpoints found to validate certificate serial number: S/N REMOVED, subject name: CN=stamp2.login.microsoftonline.com,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US, issuer name: CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US.

6

Apr 22 2024

11:07:00

717022

Certificate was successfully validated. serial number: S/N REMOVED, subject name: CN=stamp2.login.microsoftonline.com,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US.

6

Apr 22 2024

11:07:00

717028

Certificate chain was successfully validated with warning, revocation status was not checked.

3

Apr 22 2024

11:07:00

717027

Certificate chain failed validation. No suitable trustpoint was found to validate chain.

3

Apr 22 2024

11:07:00

717009

Certificate validation failed. No suitable trustpoints found to validate certificate serial number: S/N REMOVED, subject name: CN=stamp2.login.microsoftonline.com,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US, issuer name: CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US.

When we test the login via Azure, there are no logs about the certificate.

CLI command debug webvpn saml 255 gives message:

[SAML] build_authnrequest:https://login.microsoftonline.com/URL REMOVED.

SAML AUTH: SAML hash table cleanup periodic task

Any help is much appreciated!

1 Accepted Solution

Accepted Solutions

We figured it out, there were misconfigured DNS settings in the VPN profile.

Now SAML works as intended

View solution in original post

4 Replies 4

I found your post and while we use an ASA5516-x and an older software version we seem to have a similar issue. We have tracked it to the latest MS Edge or Google Chrome browsers. For most of our engineers the Anyconnect client keeps working (we use Duo SAML) but the webportal to download the client only works in Firefox. As soon as we downgrade to the previous Edge or Chrome those browsers also work. We have had 2 - 3 users complain that their client won't work anymore either, but so far that is it.

Could you check if your webportal works in Firefox or the older Edge/Chrome to confirm we might hit the same issue?

Gr

Roy

Hello Roy,

We tried using Firefox and the same blank page haunts us. Also downgrading Edge had no effect.

The weird thing is that the login works via Azure on every platform.

Hmm, looks to be a different issue then.

We have a case open with Cisco, if anything interesting pops up I'll let you know.

We figured it out, there were misconfigured DNS settings in the VPN profile.

Now SAML works as intended

Learn, share, save

Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.

New here? Get started with these tips. How to use Community New member guide

Log in to Community