You may need to add user permissions to the app in Azure AD and conditional access policy for multi-factor, etc.Īll beyond the scope of this walk-through, but highly moore Thanks for the feedback. You should now have the basic communication between the ASA and Azure AD wired up. In the metadata XML look for AssertionCustomerService, the Location field in this tag is the Reply URL for the Azure App In SSO Section 1.Įdit the Basic Configuration Section by clicking on the pencil in the top right.Ĭlick Save in the SAML Basic Configuration. (Also your Entity ID - Azure App Section 1) My.asa.com = the address at which my ASA is reachableĪC-SAML is the tunnel group name configured for SAML auth. You can use a URL similar to below to view the SP metadata. We're now ready to grab the meta-data for our tunnel config and finish the Azure application configuration. *Note: There's a feature with the SAML IdP configuration - If you make changes to the IdP config you need to remove the saml identity-provider config from your Tunnel Group and re-apply it for the changes to become effective. (Configuration of a VPN Tunnel Group or Group Policy is beyond the scope of this document) Now you can apply SAML Authentication to a VPN Tunnel Configuration.
Trustpoint sp (Trustpoint for SAML Requests - you can use your existing external cert here) Url sign-in (Login URL: SSO Section 4 of Azure App) Saml idp (This is your Azure AD Identifier from SSO Section 4 of Azure App) The following commands will provision your SAML IdP PEM Certificate Text from download goes here Please note there are SAML 2.0 minimum requirements (I believe they are ASA 9.7+ and AC 4.5+ otherwise SAML 2.0 isn't supported or you need to use external browser config… this is outside the scope of this walk-through)įirst we'll create a Trustpoint and import our SAML cert. We will need to come back here after configuring the VPN Tunnel-Group and grabbing the metadata.Īlright, we're going to do this on the CLI first, I might come back through and do an ASDM walk-through at another time.Ĭonnect to your VPN Appliance, we're going to be using an ASA running 9.8 code train, and our VPN clients will be 4.6+
Logout URL - This will be the url sign-outĪt this point you have the Data Required to begin configuring the VPN Appliance. Make note of the following from Section 4:Īzure AD Identifier - This will be the saml idp in our VPN configuration. Give it a Name (I'll use An圜onnect-SAML) and click Add at the bottom.ĭownload the Certificate Base64 from section 3 (We'll install this later) Azure SetupĬlick Enterprise Applications -> New Application -> Non-Gallery Application Preface: I had a hard time locating documentation for configuring An圜onnect with Azure AD as a SAML IdP - So I took some notes and thought I'd share.
0 kommentar(er)
