Cisco ASA SAML Integration with Azure AD & Intune

Welcome to the SAML Integration Lab! 👋

This interactive lab guide will walk you through implementing SAML-based authentication between a Cisco ASA firewall and Microsoft Azure Active Directory, enhanced with Microsoft Intune device compliance posture checks.

💡 Real-World Context

This configuration emerged from an enterprise requirement to ensure only compliant, managed devices could access corporate VPN resources. By integrating Intune posture checks with ASA SAML authentication, organizations achieve zero-trust network access where device health is validated before granting connectivity.

What You'll Learn 🎓

SAML 2.0 Authentication Flow: Understanding how Security Assertion Markup Language enables federated identity between Cisco ASA and Azure AD
Azure Enterprise Application Configuration: Setting up Azure AD as a SAML Identity Provider (IdP)
Intune Compliance Policies: Creating and enforcing device compliance policies
ASA SAML Configuration: Implementing SAML authentication on Cisco ASA
Conditional Access Policies: Leveraging Azure conditional access for device compliance
Certificate Management: Configuring SSL certificates and metadata exchange
End-to-End Testing: Validating complete authentication flow and troubleshooting

Lab Environment Overview 🌐

Network Infrastructure:

Cisco ASA Firewall (ASA 9.7(1) or later required)
Azure AD tenant with Premium P1/P2 licensing (required for conditional access)
Microsoft Intune subscription
Client devices enrolled in Intune with Company Portal
Public DNS records for ASA VPN endpoint
Valid SSL certificate for ASA

⚠️ Important Prerequisites: Ensure you have administrative access to both Azure AD and the Cisco ASA. Azure AD Premium licensing is mandatory for conditional access features.

Ready to Begin? 🚀

Click on the Architecture tab to visualize the complete solution topology, then proceed through each configuration section.

Solution Architecture 🏗️

┌─────────────────────────────────────────────────────────────────────────┐
│                        SAML Authentication Flow                          │
└─────────────────────────────────────────────────────────────────────────┘

    ┌──────────────┐                                    ┌──────────────┐
    │   Remote     │                                    │  Microsoft   │
    │    User      │                                    │  Azure AD    │
    │  (Intune     │                                    │  (SAML IdP)  │
    │  Enrolled)   │                                    │              │
    └──────┬───────┘                                    └──────┬───────┘
           │                                                   │
           │ ① VPN Connection Request                         │
           │    (AnyConnect Client)                           │
           │                                                   │
           ▼                                                   │
    ┌─────────────────┐                                       │
    │   Cisco ASA     │  ② SAML AuthN Request                │
    │   Firewall      │───────────────────────────────────────▶
    │                 │                                       │
    │  - SAML SP      │  ③ User Authentication + Posture     │
    │  - VPN Gateway  │◀───────────────────────────────────────
    │  - Trustpoint   │                                       │
    └─────────┬───────┘                                       │
              │                                               │
              │ ⑤ Grant/Deny VPN Access                      │
              │                                               │
              ▼                                               │
    ┌─────────────────┐         ④ Azure AD validates:        │
    │   Corporate     │            - User credentials         │
    │   Network       │            - MFA (if required)        │
    │   Resources     │            - Device compliance ◀──────┘
    └─────────────────┘            - Conditional access
                                                │
                                                │
                                                ▼
                                    ┌───────────────────┐
                                    │  Microsoft Intune │
                                    │  Compliance Check │
                                    └───────────────────┘

Key Components Explained 📚

Cisco ASA (Service Provider)

The ASA acts as the SAML Service Provider (SP), delegating authentication to Azure AD:

SAML Server Object: Defines Azure AD IdP endpoint and validation parameters
Trustpoint: Contains Azure AD signing certificate
WebVPN Configuration: Integrates SAML with AnyConnect VPN
Tunnel Group: Associates SAML authentication with VPN profiles

Azure AD Enterprise Application (Identity Provider)

Azure AD serves as the central identity provider:

SAML Configuration: Defines Entity ID, reply URL, and claim mappings
User/Group Assignment: Controls authentication access
Conditional Access: Enforces policies before issuing SAML assertions
Certificate Management: Provides token signing certificate

Microsoft Intune (Compliance Engine)

Intune evaluates device health and compliance status:

Compliance Policies: Define requirements for encryption, OS versions, etc.
Device Enrollment: Manages device registration
Threat Defense: Can integrate with MTD partners
Compliance Reporting: Provides device health visibility

💡 Architecture Design Insight

This architecture implements defense-in-depth where authentication (who you are), authorization (what you can access), and device posture (what you're using) are evaluated before granting network access—critical for zero-trust security models.

📋 Prerequisites & Requirements

Required Components

Cisco ASA: Version 9.7(1) or later (supports SAML 2.0)
AnyConnect Client: Version 4.6 or later
Licenses:
- AnyConnect Apex License (required for SAML)
- Azure AD Premium P1 or P2 (for Conditional Access)
Certificates: Publicly trusted SSL certificate for the ASA VPN interface

⚠️ Time Synchronization: Ensure NTP is configured correctly on the ASA. SAML assertions have strict time validity windows, and clock skew will cause authentication failures.

! Check NTP status show ntp status ! Configure NTP if needed ntp server 192.168.1.100 source inside

☁️ Azure AD Configuration

Create Enterprise Application

Log in to Azure Portal > Azure Active Directory
Navigate to Enterprise applications > New application
Search for "Cisco AnyConnect" or create a "Non-gallery application"
Name it "Cisco ASA VPN" and click Create

Configure Single Sign-On (SAML)

Select Single sign-on > SAML and configure:

Setting	Value
Identifier (Entity ID)	https://vpn.company.com/saml/sp/metadata/AzureAD-Tunnel
Reply URL (ACS URL)	https://vpn.company.com/+CSCOE+/saml/sp/acs?tgname=AzureAD-Tunnel
Sign on URL	https://vpn.company.com/+CSCOE+/saml/sp/sso?tgname=AzureAD-Tunnel

Replace vpn.company.com with your ASA's FQDN and AzureAD-Tunnel with your intended Tunnel Group name.

Download Metadata

In the SAML Signing Certificate section, download the Federation Metadata XML. You will upload this to the ASA later.

🔧 Cisco ASA Configuration

Import Azure AD Certificate

Create a trustpoint for the Azure AD signing certificate.

crypto ca trustpoint AzureAD-IdP-Cert enrollment terminal no ca-check ! crypto ca authenticate AzureAD-IdP-Cert ! Paste the Base64 certificate from Azure here ! (Or import via the Metadata XML in the next step if using ASDM) quit

Configure SAML Identity Provider

webvpn saml idp https://sts.windows.net/your-tenant-id/ url sign-in https://login.microsoftonline.com/your-tenant-id/saml2 url sign-out https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0 trustpoint idp AzureAD-IdP-Cert trustpoint sp ASA-Public-Cert no force re-authentication signature base-url https://vpn.company.com

Configure Tunnel Group

tunnel-group AzureAD-Tunnel type remote-access tunnel-group AzureAD-Tunnel webvpn-attributes authentication saml group-alias AzureAD enable saml identity-provider https://sts.windows.net/your-tenant-id/

🔍 Troubleshooting Guide

Common Issues

Symptom	Probable Cause	Solution
"Authentication Failed" on ASA	Certificate mismatch or NTP skew	Check `show ntp status` and verify trustpoints
Looping at Login	Incorrect Reply URL in Azure	Verify ACS URL matches ASA Tunnel Group exactly
"App not assigned" error	User not assigned in Azure	Add user/group to Enterprise App in Azure Portal

Debug Commands

! Enable SAML debugging debug webvpn saml 255 debug webvpn anyconnect 255 ! View active sessions show vpn-sessiondb anyconnect

✅ Verification Steps

1. Test Connection

Launch Cisco AnyConnect and connect to vpn.company.com. You should be redirected to the Microsoft Azure login prompt.

2. Verify Session on ASA

Run the following command to confirm the session is established using SAML:

show vpn-sessiondb detail anyconnect ! Look for "Auth Mode: SAML"

3. Verify Intune Compliance

If Conditional Access is configured, try connecting from a non-compliant device. Access should be blocked by Azure AD before reaching the ASA.

📝 Knowledge Check

1. Which ASA license is required to enable SAML authentication?

AnyConnect Plus
AnyConnect Apex
VPN Only
Base License

2. In the SAML flow, what role does the Cisco ASA play?

Identity Provider (IdP)
Service Provider (SP)
Authentication Proxy

🔐 Cisco ASA SAML Integration with Azure AD & Intune