Azure AD SSO with AnyConnect issues

Solved
Phil_SCDS
Getting noticed

Azure AD SSO with AnyConnect issues

I am attempting to enable SSO for Cisco AnyConnect through Meraki using Azure AD as the Ipd.

 

I am following this guide:

 

AnyConnect Azure AD SAML Configuration - Cisco Meraki

 

Which in step 7 says to set these two values in Azure like this:

 

If my AnyConnect Server URL is "vtk-qpjgjhmpdh.dynamic-m.com", the Entity ID and Reply URL will be configured as follows:

a. Identifier (Entity ID)  - https://vtk-qpjgjhmpdh.dynamic-m.com/saml/sp/metadata/SAML 
b. Reply URL (Assertion Consumer Service URL) - https://vtk-qpjgjhmpdh.dynamic-m.com/saml/sp/acs

 

When I test the SSO in Azure it gets pass the Azure authentication and it attempts to load the Reply URL above but I get an error 404 message.

 

This guide from Microsoft:

 

Tutorial: Azure Active Directory single sign-on (SSO) integration with Cisco AnyConnect - Microsoft ...

 

Gives slightly different information about what the identifier and Reply URL should be but I am still unable to get the test to work correctly.

 

Any guidance on this would be greatly appreciated.

 

Many thanks,

 

Phil

1 Accepted Solution
AaronDo
Here to help

If you are using a custom port, make sure to add it.  For example, \

 

HTTPS://VTK-QPJGJHMPDH.DYNAMIC-M.COM:4433/SAML/SP/METADATA/SAML 

View solution in original post

3 Replies 3
PhilipDAth
Kind of a big deal
Kind of a big deal

Is the DDNS entry resolving in DNS (VTK-QPJGJHMPDH.DYNAMIC-M.COM in your example)?

 

Are you testing this from outside of the MX?

AaronDo
Here to help

If you are using a custom port, make sure to add it.  For example, \

 

HTTPS://VTK-QPJGJHMPDH.DYNAMIC-M.COM:4433/SAML/SP/METADATA/SAML 

Phil_SCDS
Getting noticed

Both PhilipDAth and AaronDo were correct, I needed to test it from outside my MX and I had forgotten to add teh custome port. Thank you both for you help.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels