Has anyone been able to get SAML authentication to work with AnyConnect. I have followed the setup from https://documentation.meraki.com/MX/AnyConnect_on_the_MX_Appliance/Authentication but whenever I try to connect via the Mobility Client, I get a HTTP 500 error in the AnyConnect Login window.
I know this is a new feature so I just wanted to see if anyone has been able to get it working. Maybe there is a configuration piece missing from the documentation.
I've deployed it at maybe half a dozen clients, mostly against Azure AD and a little bit against Cisco Duo Central.
I am using Azure AD also. I have it setup like the documentation states in Enterprise Applications. Then I set it up in the AnyConnect settings on the Dashboard. Followed the documentation to a T, but still can't get the login page to load. Did you have to do anything beyond the documentation to get it to work?
Hmm, I think the documentation is correct. I've done quite a bit of work with SAML, so I didn't really need to follow the instructions too closely. I used them as a rough guide.
This is what the main bit of my Azure config looks like:
I had a similar issue, when I wasn't using the default port 443.
Once I set it up with the default port it all worked. I went back in changed it to the port I wanted and modified the port number in three places to make it work.
Are you using the default port of 443 for AnyConnect on the MX (and I assume you aren't trying to NAT that same port through to anything internally)?
This is my Meraki side:
I am also trying to setup SAML to my AnyConnect vpn client. My problem is that when I go to the AnyConnect page, I don't even have the SAML option under Authentication and Access. I only have RADIUS, Meraki Cloud Authentication and Active Directory. I would like to use SAML with Azure AD. Have you seen this issue before? Any help would be greatly appreciated.
What version is your firmware?
If you are already running 16.x or better, open a support case and ask them to turn it on for you.
Oh so this is something Meraki has to turn on from their end? All my MXs are on 16.15. This gives me hope.
I don't recall clearly now - but I'm going to say yes since you don't see the option.
Ask them to turn on AnyConnect SAML.
Thanks. I'll call Meraki today.
Just want to give you an update. I reached out to Meraki and they turned on the feature for us same day. Hopefully this will help others in the future. Thanks for your help.
Just wondering if you can help with the next problem I am facing. When I use AnyConnect to connect to my VPN, I can tell SSO (or SAML) is working but I am hit with the message: "AADSTS700016: Application with identifier 'https://xxx.xxxxxx.com/saml/sp/metadata/SAML' was not found in the directory 'XXX'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant."
Just want to provide an update. I got it to work. I make sure I have Global Admin right first this time. Then I deleted the app and follow the process to recreate the app in AAD. Meraki Dashboard side, I just have to upload the xml file again and it's working beautifully now.
This is the article I followed - https://documentation.meraki.com/MX/AnyConnect_on_the_MX_Appliance/AnyConnect_Azure_AD_SAML_Configur...
Again, Meraki MX firmware on 16.15. Had to call Meraki to have them turn on the Cisco AnyConnect SAML feature and then follow the article above to setup the app and configure SAML. Must have Global Admin right.
The Entity ID you have specified in Azure will be wrong.
It should be something like:
Yes, I changed it and it's working fine now. Thanks for your help.
Make sure you are on MX Version 16.15
i was on 16.13 and had this same issue and after upgrading to 16.15 it fixed it and SAML started working
I'm on 16.14 at the moment. So now you have two working releases. I'm going to upgrade to 16.15 now.
Yup this is exactly what was happening to me.
After talking to Meraki support they said they fixed this in version 16.15.
And after i upgraded to 16.15 it started working for me
I also didnt populate the "Sign on URL:" on basic SAML Configuration. i left that blank
Yeah, I am on 16.13. I will try the newer firmware and see if that is the issue. Thank you all for the help.
Upgraded to 16.15 and now everything is working great. Thanks again for all the help.
I am on 17.2.1 and it acts like I never uploaded the anyconnect.xml
Perhaps you should upgrade to a current 17.5?
Normally I would but it stated it was Beta so was not sure. Thanks will try this for sure
What port # do you have assigned in Meraki Anyconnect settings?
8443 and I believe I changed that in the URL link in Azure, this is mostly working for me now and I have even implemented in Prod and no one is complaining.