AnyConnect VPN using SAML and Azure as an IDP

SOLVED
Phil_SCDS
Getting noticed

AnyConnect VPN using SAML and Azure as an IDP

Hi All,

 

I have multiple sites configured using various models of MX routers. At one site (lets call it base site) we have AnyConnect set up and working with the MX and using Azure as the IDP. It works a charm. However, I do not like relying on the internet connection of a single site for our increasingly heavy remote working requirements. I want to set up another one of our sites (lets call it second site) to also use AnyConnect and then enabled load balancing and backup servers.

 

Meraki only allows you to register AnyConnect once as an enterprise app in Azure but Azure can configure up to 256 identifiers and reply URLs per registration. The behaviour I find when trying to connect to the second site is the following:

My browser sets up a TCP session with the second site MX, the second site MX then replies with the info to contact the IDP (Azure). Browser the sets up and TCP session with Azure and I am prompted to enter my credentials. As soon as I enter my credentials I notice my browser is now communicating with the base site MX, and the connection ultimately fails.

After some research I have found that Azure will always reply to a SAML request with the default reply URL unless the specific reply URL is defined in the original SAML authentication request sent to Azure.

After speaking with Meraki support they have told me that I am butting up against a limit of the MX but I am still not certain given that there are 2 different MXs here. My only thought is that the SAML request sent to Azure after the initial communication with the MX simply does not include the reply URL and so Azure just replies with the default. This seems like a massive short coming as it means that each Meraki tenant can only have a single AnyConnect setup enabled regardless of the size of the tenant.

 

Any help would be greatly appreciated.

 

Phil

1 ACCEPTED SOLUTION
Phil_SCDS
Getting noticed

I played around a bit more and figured it out (always the way just after you decide to post on a forum). Basically you have to register each AnyConnect instance as a separate enterprise app in Azure. Under Organisation -> Settings -> Authentication on the dashboard you can configure multiple SAML providers. I did this and made sure the correct meta data for each was uploaded to the AnyConnect config on the correct MX and it now works.

View solution in original post

2 REPLIES 2
Phil_SCDS
Getting noticed

I played around a bit more and figured it out (always the way just after you decide to post on a forum). Basically you have to register each AnyConnect instance as a separate enterprise app in Azure. Under Organisation -> Settings -> Authentication on the dashboard you can configure multiple SAML providers. I did this and made sure the correct meta data for each was uploaded to the AnyConnect config on the correct MX and it now works.

This is exactly right.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels