Hideez Authentication Service (EN)
  • Hideez Authentication Service for Enterprises
    • Release notes
    • Key features of the Hideez Authentication Service in 5 minutes
  • Quick Start Guides
    • Hideez Authenticator Mobile app guide
    • Hideez Key guide
    • Passkey guide
    • FIDO Security Key guide
      • Activation FIDO key and setting PIN code
    • Quick Start Guide for subscriptions
      • Hideez Security Key
      • Hideez Authenticator App
      • Passkeys
    • Guide for Hideez Enterprise Server on Cloud
      • Passkeys
      • Mobile app
      • Hideez Key
  • Use cases
    • Hideez Authenticator Mobile App
      • Passwordless PC login
      • Password-based PC login
      • SSO login to Webservises (FIDO2) via mobile app
        • Using Hideez Authenticator as your passwordless authentication method for SSO
      • Using Hideez Authenticator as your two-factor authentication method for SSO
      • OTP generation by Hideez Authenticator App for 2FA
      • RDP login by Hideez Authenticator App
      • Remote PC lock
    • Hideez Key
      • Proximity Lock
      • Proximity Unlock
        • Unlock PC by Hideez Dongle Touch (Tap-and-Go)
      • Proximity settings (guide for admin)
      • Automatic RDP Launch and Logon
      • Password manager and OTP generator
      • OTP manager for two-factor authentication
    • FIDO Security Key
      • SSO login to Web Servises via Hardware Key (FIDO2)
      • Passwordless PC Login to Entra ID (Azure AD).
      • Using Hideez Key as U2F security key for your two-factor authentication
      • Other vendors' hardware keys
    • Passkey
      • SSO login to Web Services (FIDO2) via Passkey and Hideez Server as Identity Provider
    • Emergency blocking of all computers
    • Employee's account disabling
  • Hideez Enterprise Server
    • Hideez Enterprise Server
    • Glossary
    • Hideez Server Architecture
    • Deployment
      • Database installation
        • MySQL on Windows
        • MySQL on Linux
        • Microsoft SQL Server on Windows
        • Microsoft SQL Server on Linux
      • HES deployment
        • Windows
        • Linux
        • Docker
        • Deployment without Internet access
        • Troubleshooting
      • HES update
        • Windows
        • Linux
        • Docker
      • Publishing on-premises HES for remote users
    • Administration
      • How to change the password for an administrator account?
      • How to recover a forgotten admin password?
      • Adding an admin account
      • Deleting an admin account
      • How to enable two-factor authentication at the Hideez Enterprise Server?
      • Authorization on the HES server via a FIDO key
      • Platform authentication on the HES server
      • Connecting Linux server to Active Directory
      • Setting Hideez Server parameters
      • Configuring DNS server
      • Setting up a Proxy for Mobile App Access to HES
      • How to create and set Hideez Key Access Profiles
      • How to manage companies and departments?
      • How to manage Positions?
      • Enable load balancing
      • Data Protection
    • Dashboard
      • Information about the server
      • Information about employees
      • Information about devices
      • Workstations Information
    • Employees
      • How to add an Employee?
      • Employees management
      • Employee management with Active Directory
    • Workstations
      • How to add and approve Workstations?
      • Workstations management
      • Workstation Profiles
      • Use Proximity Unlock Workstations
    • Hardware Vaults
      • How to add Hideez Key into the Server
      • Assign a key to the user
      • Remove the key from the Employee
      • Set a profile for a Hardware Vault
      • How to see an RFID code on the Employee key?
    • Accounts
      • Creating personal employee accounts
      • Creating shared employee accounts
      • Personal account management
      • Shared account management
      • Accounts backup and restore
      • How to work with the account template?
    • Keys Management
      • Keys Statuses
      • Transition to Reserved status
      • Keys Activation mechanism
      • Cancel issuance of Hideez Key (Reserved -> Ready)
      • Transition to Suspended status
      • Transition to Locked status
      • Transition to Deactivated status
      • Transition to Compromised status
      • Removing the Locked status
      • Wipe procedure
      • Delete key from Hideez Server
    • Audit
      • Workstation events
      • Workstation Sessions
      • Summaries
    • Single Sign On settings
      • How to get employee licenses
      • Enabling Single Sign-On (SSO) for Employees
      • User settings
    • Configuring SAML Protocol
    • Configuration OIDC (OpenID Connect)
  • Hideez Server Integration
    • Microsoft Entra ID
      • Import and Sync Users from Entra ID
        • Administrator-Initiated Manual Password Changes
        • User-Initiated Password Changes
    • Active Directory (On-Premises)
      • Import and Sync Users from Active Directory (On-Premises)
        • Administrator-Initiated Manual Password Changes
        • User-Initiated Password Changes
        • Active Directory (On-Premises) Access and Rights Delegation
    • SAML integration
      • ASA AnyConnect VPN
      • Citrix services
      • Fortinet services
      • GitHub Enterprise
      • GitLab on premises
      • Google Workspace
      • Microsoft Exchange for Authentication via SAML
        • ADFS Installation
      • Okta
      • Oracle Business Intelligence Enterprise Edition (OBIEE)
        • Step 1: Configure the Identity Provider — Hideez Enterprise Server (HES)
        • Step 2: Configure the Service Provider — Oracle Access Manager (OAM)
        • Step 3: Register Oracle Access Manager (OAM) in Hideez Enterprise Server (HES)
        • Step 4: Configure Directory Services and Web Infrastructure
        • Step 5: Configure Oracle Business Intelligence Enterprise Edition (OBIEE) for Single Sign-On (SSO)
    • Open ID Connect integration
      • Hideez Server as an External Authentication Method for Microsoft Entra ID via OIDC
      • OKTA (OIdC)
    • WS-Federation integration
      • Configure Exchange Outlook Web Application and Exchange Admin Center
  • Hideez Client App
    • Hideez Client deployment
      • Installation of the Hideez Client Application
      • Deploying Hideez Client MSI via GPO (Group Policy Object)
      • Configuration app
      • Uninstall Hideez Client app
      • Uninstalling via GPO
      • Upgrade Hideez Client
      • Downgrade Hideez Client
    • Application interface
      • General Settings
      • Logon settings
      • Aditional settings
      • Configuring hotkeys
    • Account management
      • Account creation
      • Editing an Existing Account
      • Deleting your account
    • Shortcuts
    • Remote Vault connection
    • Mobile Authenticator
  • Hideez Authenticator App
    • Quick overview
    • Admin guide
      • Setup for PC login scenario
        • Passwordless PC Login Setup
          • Configuring an Active Directory Certification Authority
          • Hideez Enterprise Server setup for passwordless login
          • Setting Up Passwordless Workstation Login with Entra ID
        • Password-based PC login Setup
      • Setup for SSO login scenario
    • User guide
      • Mobile App Primary Setup
      • App enrollment on Hideez Server
        • Enroll the application on Hideez Server for SSO
          • SSO enrollment (admin account)
          • SSO enrollment (user account)
        • PC Authorization Enrollment
          • Enrollment for Passwordless PC Authorization
            • Passwordless account re-enrollment
          • Enrollment for Password-based PC Authorization
            • Account roaming
      • Login with Hideez Authenticator
        • SSO login
        • PC login
          • Offline passwordless login
          • Login to the remote PC via RDP
      • PC lock
      • OTP generation
      • Software key disabling
        • PC logon disabling
        • SSO logon disabling
      • Service operations
  • Hideez Key (Enterprise Edition)
    • Hideez Key (Enterprise Edition)
    • Technical Specifications
      • Technical specifications Hideez Key 3
      • Technical specifications Hideez Key 4
    • Principles of operation
    • Device Layout
    • Battery maintenance
    • Hideez Key modes
    • How to update the Hideez Key (Enterprise) firmware
    • How to enter credentials with the Hideez Key
    • How to unlock PC
    • Key for Physical doors
  • Product Updates
    • Product updates
    • Hideez Enterprise Server updates
    • Hideez Key firmware updates
    • Hideez Client updates
    • Hideez Authenticator updates
  • API
    • Hideez Enterprise Server web API
  • FAQ
    • How-to's
      • How to add an Employee?
      • How to add personal user account on HES?
      • How to assign Hideez Key to a user?
      • How to activate Hideez Key?
      • How to unlock Hideez Key on HES?
      • How to unlock PC with Hideez Key?
      • How to setup proximity PC unlock?
      • How to use Hideez Key on remote PC?
      • How to enroll the Hideez Authentication app on HES for SSO?
      • How to login on HES with Hideez Authenticator?
      • How to enroll the Hideez Authentication app for PC login?
      • How to login to PC with Hideez Authenticator?
      • Enable QR Code Display for Hideez Authenticator on the Lock Screen of a Windows Remote Workstation
    • Hideez Client App
      • What do I do if I see the message "Connection failed. Trying to re-bond device"?
      • What do I do if the connection with the HES server cannot be established?
      • What should I do if the Password Manager menu item is not displayed?
    • Hideez Enterprise Server
      • How to view logs at Hideez Enterprise Server?
    • Setting Up Gmail with HES
    • Hideez Authenticator
      • QR code is not displayed at the credential provider on my PC
      • I have registered successfully but cannot login
      • What do I do if I changed domain and cannot login now
      • Does the Hideez App collect or transmit data from the phone to third parties or services?
    • Hideez Key
      • What physical conditions are dangerous for the Hideez Key?
      • Is the Hideez Key allowed on planes?
      • How to enable FIDO2 passwordless authentication with Microsoft Azure AD for use with Windows 10-11
  • Documentation portal
Powered by GitBook
On this page
  • Configure HES as an IdP
  • Step 1. Set Identity Provider settings
  • Step 2. Get HES Metadata File
  • Configure ASA for SAML via CLI
  • Step 1. Create a Trustpoint and import our SAML certificate
  • Step 2. Provision your SAML IdP
  • Step 3. Apply SAML Authentication to a VPN Tunnel Configuration
  • Step 4. Get SAML ASA Metadata FIle
  • Add the Service Provider to HES
  • Final Verification
  • Step 1. Enable SSO for a user in the HES
  • Step 2. Logon to a web service using SAML
  • Common Issues
  • Entity ID Mismatch
  • Time Mismatch
  • Wrong IdP Signing Certificate Used
  • Invalid Assertion Audience
  • Wrong URL for Assertion Consumer Service
  • SAML Configuration Changes Not Taking Effect

Was this helpful?

  1. Hideez Server Integration
  2. SAML integration

ASA AnyConnect VPN

Hideez Enterprise Server – Configure ASA AnyConnect VPN with Hideez Enterprise Server through SAML

Introduction

This document describes how to configure Security Assertion Markup Language (SAML) with a focus on Adaptive Security Appliance (ASA) AnyConnect through Hideez Enterprise Server.

Hideez Enterprise Server (HES) supports SAML 2.0 (Security Assertion Markup Language) standard for user authentication. HES is an IdP (Identity Provider) that enables SSO for all web applications (SP, Service Provider) supporting SAML.

Since HES supports FIDO2 passwordless authorization, service providers automatically get the ability to authorize with hardware security keys without having to create and enter passwords.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

  • Basic knowledge of RA VPN configuration on ASA.

  • Basic knowledge of SAML and Microsoft Active Directory.

  • AnyConnect Licenses enabled (APEX or VPN-Only).

Components Used

The information in this document is based on these software and hardware versions:

  • Hideez Enterprise Server 3.9+

  • Microsoft Active Directory.

  • Cisco ASA 9.7+ and Anyconnect 4.6+

  • Working AnyConnect VPN profile

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command. You can also map users to specific application roles based on rules you define in your setting in Active Directory, Cisco ASA and Anyconnect.

Background Information

SAML is an XML-based framework for exchanging authentication and authorization data between security domains. It creates a circle of trust between the user, a Service Provider (SP), and an Identity Provider (IdP) which allows the user to sign in a single time for multiple services. Hideez Enterprise Server seamlessly integrates with Cisco ASA VPN appliance to provide additional security for the Cisco AnyConnect VPN logins.

SAML Components

Metadata: It is an XML based document that ensures a secure transaction between an IdP and an SP. It allows the IdP and SP to negotiate agreements.

Roles supported by the devices (IdP, SP)

A device may support more than one role and could contain values for both an SP and an IdP. Under the EntityDescriptor field is an IDPSSODescriptor if the information contained is for a Single Sign-On IdP or a SPSSODescriptor if the information contained is for a Single Sign-On SP. This is important since the correct values must be taken from the appropriate sections in order to set up SAML successfully.

Entity ID: This field is a unique identifier for an SP or an IdP. A single device might have several services and can use different Entity IDs to differentiate them. For example, ASA has different Entity IDs for different tunnel-groups that need to be authenticated. An IdP authenticating each tunnel-group has separate Entity ID entries for each tunnel-group in order to accurately identify those services.

ASA can support multiple IdPs and has a separate entity ID for each IdP to differentiate them. If either side receives a message from a device that does not contain an entity ID that has been previously configured, the device likely drops this message, and SAML authentication fails. The Entity ID can be found within the EntityDescriptor field beside entityID.

Service URLs: These define the URL to a SAML service provided by the SP or IdP. For IdPs, this is most commonly the Single Logout Service and Single Sign-On Service. For SPs, this is commonly the Assertion Consumer Service and the Single Logout Service.

The Single Sign-On Service URL found in the IdP metadata is used by the SP to redirect the user to the IdP for authentication. If this value is incorrectly configured, the IdP does not receive or is unable to successfully process the Authentication request sent by the SP.

The Assertion Consumer Service URL found in the SP metadata is used by the IdP to redirect the user back to the SP and provide information about the user's authentication attempt. If this is configured incorrectly, the SP does not receive the assertion (the response) or is unable to successfully process it.

The Single Logout Service URL can be found on both the SP and the IdP. It is used to facilitate logging out of all SSO services from the SP and is optional on the ASA. When the SLO service URL from the IdP metadata is configured on the SP, when the user logs out of the service on the SP, the SP sends the request to the IdP. Once the IdP has successfully logged the user out of the services, it redirects the user back to the SP using the SLO service URL found within the SP’s metadata.

SAML Bindings for Service URLs: Bindings are the method the SP uses to transfer information to the IdP and vice versa for services. This includes HTTP Redirect, HTTP POST, and Artifact. Each method has a different way of transferring data. The binding method supported by the service is included within the definition of that service. For example: SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://saml.example.com/simplesaml/saml2/idp/SSOService.php"/ >. The ASA does not support the Artifact binding. ASA always uses the HTTP Redirect method for SAML authentication requests, so it is important to choose the SSO Service URL that uses the HTTP Redirect binding so that the IdP expects this.

Certificates for Signature and Encryption Operations

To provide confidentiality and integrity for the messages sent between the SP and the IdP, SAML includes the ability to encrypt and sign the data. The certificate used to encrypt and/or sign the data can be included within the metadata so that the receiving end can verify the SAML message and ensure that it comes from the expected source. The certificates used for signing and encryption can be found within the metadata under KeyDescriptor use="signing" and KeyDescriptor use="encryption", respectively, then X509Certificate. The ASA does not support encrypting SAML messages.

Network Diagram

Configure HES as an IdP

Step 1. Set Identity Provider settings

IdPs and service providers must exchange public key certificates, addresses for requests, and other parameters to establish an acceptance between them.

A certificate in the “.pfx” ​​format is necessary for the work of the SAML protocol. It can be generated, for example, through an OpenSSL application or by using an existing certificate. The certificate file must be copied to the HES server (e.g. the folder with binary files and settings).

Login to the HES server, then go to Settings -> Parameters -> SAML. Then press [Configure IdP] button:

Select your .pfx file and enter the password for the .pfx. Also you need to select appropriate algorithm:

SignatureAlgorithm - a signature algorithm. It should match the algorithm with which the pfx certificate was established. The possible options are SHA1, SHA256, SHA384, SHA512.

Step 2. Get HES Metadata File

On the same page (Settings -> Parameters -> SAML), after you have set the .pfx certificate you can:

· View metadata · Download metadata · Download the public key certificate

Metadata is an XML file that contains all the necessary information about the IdP settings and the public key certificate. ASA allows you to import IdP metadata when configuring SAML, which simplifies the configuration. You can also download a separate certificate, if necessary, or view all metadata on the screen.

For the next steps you need to download the metadata file and certificate files.

Configure ASA for SAML via CLI

Step 1. Create a Trustpoint and import our SAML certificate

# config t

# crypto ca trustpoint HES-SAML

revocation-check none

no id-usage

enrollment terminal

no ca-check

# crypto ca authenticate HES-SAML

-----BEGIN CERTIFICATE-----

…

HES IdP Certificate Text you downloaded on the previous step.

…

-----END CERTIFICATE-----

# quit

Step 2. Provision your SAML IdP

# webvpn

# saml idp https://example.hideez.com/

# url sign-in https://example.hideez.com/Saml/Login

# url sign-out https://example.hideez.com/Saml/Logout

# trustpoint idp HES-SAML - [IdP Trustpoint]

# trustpoint sp ASA-EXTERNAL-CERT - [SP Trustpoint]

# no force re-authentication

# no signature

# base-url https://asa.example.com

Step 3. Apply SAML Authentication to a VPN Tunnel Configuration

# tunnel-group TUNNEL-GROUP-NAME webvpn-attributes

saml identity-provider https://example.hideez.com/

authentication saml

# end

# write memory

Step 4. Get SAML ASA Metadata FIle

Run the following command:

# show saml metadata TUNNEL-GROUP-NAME

Then copy metadata text into a xml file and save it.

Note: If you make changes to the IdP config you need to remove the saml identity-provider config from your Tunnel Group and re-apply it for the changes to become effective.

Add the Service Provider to HES

Login to the HES server, then go to Settings -> Parameters -> SAML. Then press the [Add Service Provider] button.

On the following form you can add a metadata file or fill all parameters manually:

  • Issuer - a unique SP name you need to copy from the SP settings or extract from the metadata file.

  • Assertion Consumer Service - the login address on the side of the service provider. Redirection is done to this address following the successful login through the IdP service.

  • Single Logout Service - the address to log out of the account. If you exit IdP, this URL is opened in the loop for all SPs.

  • Public x509 Certificate - the public key certificate of the service provider.

  • NameID Format - the format for the field that identifies the user.

  • NameID Value - the choice of the field where you can take the user identifier.

Since the IdP and the SP can use different identifiers for users, a mechanism for matching these identifiers is needed to establish a one-to-one correspondence between users in both services. The user identifier (login) in HES is his email, although it can be something else in other systems (e.g. a combination of the user's first and last name).

If your ASA and AD configuration accepts email as a user ID, you need to set:

NameID Format - Email NameID Value - Email

If the ASA and AD configuration do not accept email as a user ID, you need to set the format that you use in the 'NameID Format' field, and the value 'External ID' in the 'NameID field'. Then you need to fill in the 'External ID' field for each employee. To do this, click Employees -> 'Select an employee -> Details -> Edit settings (in the Single Sign On section) -> Edit the External ID.

After filling in and saving all the settings, you can check the integration by logging into the service provider. You should be redirected to the HES authentication page where you will need to enter your username (email) and pass the security key verification.

Final Verification

Step 1. Enable SSO for a user in the HES

Employees cannot log into the HES service and use the SSO service by default, they must have an explicit permission of the administrator. Select an employee and click the [Edit] button. Then click the [Enable SSO] button at the opened page to give the permission.

Note: An employee must have an email and an associated key to activate the SSO service.

The SSO service is automatically enabled and cannot be deactivated for all HES administrators.

If External ID is used as the NameID Value, you have to fill in this field as well. Open 'Employees' -> 'Select an employee' -> 'Edit' to edit the External ID field.

Some service providers may not support this functionality.

Step 2. Logon to a web service using SAML

Connect to your VPN URL and choose one of your sign-in options in the Hideez Enterprise Server window, then use your credentials to Sign In:

AnyConnect is Connected:

Common Issues

Entity ID Mismatch

Debug Example:

[SAML] consume_assertion: The identifier of a provider is unknown to #LassoServer. In order to register a provider in a #LassoServer object, you must use the methods lasso_server_add_provider() or lasso_server_add_provider_from_buffer().

Problem: Generally means that saml idp [entityID] command under the ASA's webvpn configuration does not match the IdP Entity ID found in the IdP’s metadata.

Solution: Check the entity ID of the IdP’s metadata file and change the saml idp [entity id] command to match this.

Time Mismatch

Debug Example:

[SAML] NotBefore:2017-09-05T23:59:01.896Z NotOnOrAfter:2017-09-06T00:59:01.896Z timeout: 0

[SAML] consume_assertion: assertion is expired or not valid

Problem 1. ASA time is not synced with IdP’s time.

Solution 1. Configure ASA with the same NTP server used by IdP.

Problem 2. The assertion is not valid between the specified time.

Solution 2. Modify the timeout value configured on the ASA.

Wrong IdP Signing Certificate Used

Debug Example:

[Lasso] func=xmlSecOpenSSLEvpSignatureVerify:file=signatures.c:line=493:obj=rsa-sha1:subj=EVP_VerifyFinal:error=18:data do not match:signature do not match

[SAML] consume_assertion: The profile cannot verify a signature on the message

Problem: ASA not able to verify the message signed by the IdP or there is no signature for the ASA to verify.

Solution: Check the IdP signing certificate installed on the ASA to make sure it matches what is sent by the IdP. If this is confirmed, make sure that the signature is included in the SAML response.

Invalid Assertion Audience

Debug Example:

[SAML] consume_assertion: assertion audience is invalid

Problem: IdP is defining the incorrect audience.

Solution: Correct the Audience configuration on the IdP. It should match the ASA’s Entity ID.

Wrong URL for Assertion Consumer Service

Example Debug: Unable to receive any debugs after the initial authentication request is sent. The user is able to enter credentials at IdP but IdP does not redirect to ASA.

Problem: IdP is configured for the wrong Assertion Consumer Service URL.

Solution(s): Check base URL in configuration and make sure it is correct. Check ASA metadata with show to make sure that the Assertion Consumer Service URL is correct. In order to test it, browse it, if both are correct on the ASA, check the IdP to make sure that the URL is correct.

SAML Configuration Changes Not Taking Effect

Example: After a single sign-on URL is modified or changed, the SP certificate, SAML still does not work and sends previous configurations.

Problem: ASA needs to regenerate it's metadata when there is a configuration change that affects it. It does not do this automatically.

Solution: After making changes, under the affected tunnel-group remove and re-apply the saml idp [entity-id] command.

Troubleshoot

Most SAML troubleshoots involve a misconfiguration that can be found when the SAML configuration is checked or debugs are run. debug webvpn saml 255 can be used to troubleshoot most issues, however in scenarios where this debug does not provide useful information, additional debugs can be run:

debug webvpn saml 255

debug webvpn 255

debug webvpn session 255

debug webvpn request 255

PreviousSAML integrationNextCitrix services

Was this helpful?