Has anyone been able to get SAML authentication to work with AnyConnect. I have followed the setup from https://documentation.meraki.com/MX/AnyConnect_on_the_MX_Appliance/Authentication but whenever I try to connect via the Mobility Client, I get a HTTP 500 error in the AnyConnect Login window.
I know this is a new feature so I just wanted to see if anyone has been able to get it working. Maybe there is a configuration piece missing from the documentation.
I am using Azure AD also. I have it setup like the documentation states in Enterprise Applications. Then I set it up in the AnyConnect settings on the Dashboard. Followed the documentation to a T, but still can't get the login page to load. Did you have to do anything beyond the documentation to get it to work?
Hmm, I think the documentation is correct. I've done quite a bit of work with SAML, so I didn't really need to follow the instructions too closely. I used them as a rough guide.
This is what the main bit of my Azure config looks like:
I had a similar issue, when I wasn't using the default port 443.
Once I set it up with the default port it all worked. I went back in changed it to the port I wanted and modified the port number in three places to make it work.
Are you using the default port of 443 for AnyConnect on the MX (and I assume you aren't trying to NAT that same port through to anything internally)?
I am also trying to setup SAML to my AnyConnect vpn client. My problem is that when I go to the AnyConnect page, I don't even have the SAML option under Authentication and Access. I only have RADIUS, Meraki Cloud Authentication and Active Directory. I would like to use SAML with Azure AD. Have you seen this issue before? Any help would be greatly appreciated.
I don't recall clearly now - but I'm going to say yes since you don't see the option.
Ask them to turn on AnyConnect SAML.
Just want to give you an update. I reached out to Meraki and they turned on the feature for us same day. Hopefully this will help others in the future. Thanks for your help.
Just wondering if you can help with the next problem I am facing. When I use AnyConnect to connect to my VPN, I can tell SSO (or SAML) is working but I am hit with the message: "AADSTS700016: Application with identifier 'https://xxx.xxxxxx.com/saml/sp/metadata/SAML' was not found in the directory 'XXX'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant."
Just want to provide an update. I got it to work. I make sure I have Global Admin right first this time. Then I deleted the app and follow the process to recreate the app in AAD. Meraki Dashboard side, I just have to upload the xml file again and it's working beautifully now.
This is the article I followed - https://documentation.meraki.com/MX/AnyConnect_on_the_MX_Appliance/AnyConnect_Azure_AD_SAML_Configur...
Again, Meraki MX firmware on 16.15. Had to call Meraki to have them turn on the Cisco AnyConnect SAML feature and then follow the article above to setup the app and configure SAML. Must have Global Admin right.
The Entity ID you have specified in Azure will be wrong.
It should be something like:
Yup this is exactly what was happening to me.
After talking to Meraki support they said they fixed this in version 16.15.
And after i upgraded to 16.15 it started working for me
8443 and I believe I changed that in the URL link in Azure, this is mostly working for me now and I have even implemented in Prod and no one is complaining.