Hi, thanks for the link, I recently specifically updated my Cisco Asa to version 9.18.2, since Saml Load Balancing support appears in versions older than 9.17.1 - based on Release Notes. But the update did not give a result. Therefore, I decided to write here, maybe someone has already solved this problem.

sure and wait for other mates to reply, if this is a pressing issue, contact TAC for the correct answer.

Hi, thanks for the reply.

I probably misunderstood the meaning of Load Balancing SAML. I thought that the functionality of using a single Load Balancing Group address in the Base Url would appear.

Most likely, it meant simply distributing SAML authentication requests across different nodes.

@Milos_Jovanovic I'm posting as a reply to this thread as my issue is quite similar.

I am trying to add a "backup server" to an existing working remote access VPN on FTD 7.0.5 that's using SAML authentication to Azure AD. The backup is for the clients to use the secondary ISP FQDN when the primary is not available. So it is a single tunnel-group with VPN active on two interfaces (Outside-ISP1 and Outside-ISP2).

Given that it is a single tunnel-group, I can only define a single SSO server from the ASA side. Yet from the Azure iDP side the SP targets would be two unique FQDNs - e.g., vpn.company.com and vpn2.company.com in the VPN profile as shown below. That implies two enterprise application instances which would mean two SSO servers.

<ServerList>
		<HostEntry>
			<HostName>Company VPN</HostName>
			<HostAddress>vpn.company.com</HostAddress>
			<BackupServerList>
				<HostAddress>vpn2.company.com</HostAddress>
			</BackupServerList>
		</HostEntry>
	</ServerList>

How would we make this work?

Hey @Marvin Rhoads,

From my standpoint, your case is quite different than one described

With VPN LB, we have multiple FQDNs but terminating on different devices. With your case, we have multiple FQDNs, but all are on same device, which is not convenient.

When you configure SAML IdP, you provide its name (usually Azure tenant ID), and within, you provide base URL (which is your FQDN). To my best knowledge (and I haven't checked or tested this), you can have exactly single base URL, as this is where assertion token will be forwarded from Azure (so ASA is expecting it on this URL).Something like:

saml idp https://sts.windows.net/XXXXX/
url sign-in https://login.microsoftonline.com/XXXXX/saml2
url sign-out https://login.microsoftonline.com/XXXXX/saml2
base-url https://myfqdn1.mydomain.com
trustpoint idp XXXX ---- CertFromAzure
trustpoint sp XXXX ---- Whatever is used under "show run ssl"
no signature
no force re-authentication
timeout assertion 600
!

If you have multiple URLs, you would need to configure it as multiple base URLs on ASA. As I said, I believe it is not possible to do this under same SAML IdP config. In theory, you could create another SAML IdP (which would also mean you need two tunnel-groups, to invoke different IdPs), with different name (dummy name, as it is just name, right? ), and same parameters for everything else (apart from second FQDN obviously). However, last time I tried this (as I wanted t use different certificates because of multiple Azure apps, which by default use different certs), it turned out that name of IdP is not a dummy name, but it has to match exact tenant ID (otherwise, ASA was dropping token). I believe I read somewhere that they've fixed this behavior (in some release notes), but never tested this again. From Azure side, there would have to be two apps for sure, as each of them need to have different destination URL (for either FQDN).

Having said that, I would not go down this road, as it is too complex from my standpoint. I would rather rely on DNS change (keep FQDN on primary ISP, with short TTL and change to second ISP in case of a need). I know it is manual job, and hardly redundancy, but I don't really have good solution for mentioned usecase.

Regards,

Milos

@vibobrov 
Hi ,
I will implemented anyconnect saml authentication with Load Balancing FQDN  . I see your blog It's help full ,
But I have a small question, My understanding is If I running asa below 9.18 I need to configure 
Azure AD each ASA Application or not and If I running asa version 9.18  can I use command "local-base-url" and 
IN Azure AD configuration can configure only 1 application for asa . Am I correct ? 

@jewfcb001. It turned out that the local-base-url feature was added in 9.18.3, not the first release of 9.18.

Prior to that version, you have to define each ASA appliance as an application in Azure AD.

@vibobrov 
Thank you for response. and Global URL can we do in GSLB ?

@jewfcb001, all solutions listed in my blog allow you to use a global URL. You would just need to pick which one makes the most sense in your environment. Realistically speaking, if you don't already utilize VPN Load balancing, the second solution would probably be the easiest to implement: https://securityccie.net/2023/08/07/asa-dns-load-balancing-with-saml/#Base-URL_Manipulation. I've implemented it at a customer a couple of months ago and it is working well.

@vibobrov 
Thank you for answer . In your blog  "With VPN Load balancing, a set of ASA firewalls are configured to share a common VIP address. All firewalls must share the same outside or public subnet."   
Is this function from Load Balance ? 

If I need to configure VPN Load balancing and share VIP Address from your example . 
configuration on Firewall for outside interface Do i need to configure IP same subnet with other asa ?
As below My understand correct ? Please help me.

Example 
ASA-1 outside interface IP 192.168.1.1 255.255.255.0 
ASA-2 outside interface IP : 192.168.1.2 255.255.255.0 

Yes, all ASA's that are a part of VPN load balancing need to be on the same outside subnet. This is one of a few posts about VPN load balancing: https://integratingit.wordpress.com/2020/03/14/asa-vpn-load-balancing/