The Cisco Adaptive Security Appliance (ASA) firewall reports a Single Sign-On (SSO) error while authenticating via the Cisco AnyConnect client.

Authentication failed due to problem retrieving the single sign-on cookie.

• Security Assertion Markup Language (SAML)
• Cisco AnyConnect VPN
• Single Sign On (SSO)

The following issues can cause the problem:

• Cisco ASA is running a code susceptible to a bug CSCvi23605.
• Misconfigured SAML Identity Provider for the AnyConnect Connection profile.
• Cisco ASA is not properly synced to an external NTP server.

1. Confirm that the Cisco-provided metadata (Assertion Consumer Service URL and SP Entity ID) is configured properly on the Okta side. To check the Cisco-provided metadata, follow Step 11 from the Cisco ASA (SAML) VPN instructions found in How to Configure SAML 2.0 for Cisco ASA VPN.
2. Upgrade Cisco ASA to the latest release.
3. Enable the NTP service and specify a reliable network time server for synchronization.
4. Restart the ASA.
5. The SAML Identity provider should be set to none and then reverted back to the configured SAML IdP.
6. Re-enable SAML Authentication in the tunnel-group via the following commands in the CLI using the Entity ID:

• ASA-DF(config-tunnel-webvpn)# no saml identity-provider
• ASA-DF(config-tunnel-webvpn)# saml identity-provider