Thank you for contacting Okta support, we have customers that had successfully Configured Cisco ASA VPN using our updated documentation https://support.okta.com/help/s/article/Cisco-ASA-VPN-Configuration-Guide, name Id format is the value you choose will depend on the application – this is the username format that you are sending in the SAMLResponse. Consult the SP documentation to determine what format to use. If you encounter any issues configuring Cisco ASA VPN, please open a support case.

Thanks Bogdan. The updated documentation simply lists use of SAML as being supported, but all of the detailed configuration steps are for using the Okta RADIUS ​Agent. In the past there was a semi-detailed guide for configuring Okta and the ASSA to use SAML (instead of RADIUS) but the guide was removed from Okta's customer facing content and even though we had saved a copy, it did not cover many of the parameters needed when configuring a SAML app in Okta. I am looking for a cookbook guide like Okta has for using RADIUS, or for a customer who is using SAML who can advise me on the missing information. Thanks!

You can create a SAML application in Okta and configure it for Cisco ASA through the App Integration Wizard. The instructions to create a SAML 2.0 app can be found here: https://help.okta.com/en/prod/Content/Topics/Apps/Apps_App_Integration_Wizard.htm. 

Once created, you'll be given the 'Identity Provider Single Sign-On URL', 'Identity Provider Issuer' and the Okta certificate of which you'll use to configure the Cisco ASA device.

You can retrieve the above information by going to the Custom SAML App > Sign-on tab and clicking on 'View Setup instruction'. 

The last step, according to the instruction, is to get the SP metadata from the following URL -https://<VPN-base-URL>/saml/sp/metadata/<name of the connection profile> and update the Okta SAML configuration. 

Bogdan,

We followed the steps you outlined above twice and we still received a 404 Page Not Found when we launch the Anyconnect client and try to connect. We are at a loss, any help would be much appriciated.

Thanks!

Michael, I actually tried posting a picture but it didn't work and deleted my entire comment, so here I go again. We had this same issue and finally got this setup work wonderfully. The first thing we did was upgrade our ASA software to 9.8(2) and we pushed the AnyConnect 4.6 client to the end users. The 4.5 client wouldn't open the popup browser window for our SSO page. We also had an issue with the mobile Android devices getting the 404 error. We resolved that issue by installing the intermediate certificate from our cert provider onto the ASA alongside the initial cert for the AnyConnect. Below is our config on the Okta side that got it working for us. The "Okta-users" part at the end of the URLs is the AnyConnect Connection Profiles name you created on the ASA. Let me know if you have anymore questions on our config and maybe I can send you some more information.

Single Sign On URL

https://vpn.url.com/+CSCOE+/saml/sp/acs?tgname=Okta-users

Recipient URL

https://vpn.url.com/+CSCOE+/saml/sp/acs?tgname=Okta-users

Destination URL

https://vpn.url.com/+CSCOE+/saml/sp/acs?tgname=Okta-users

Audience Restriction

https://vpn.url.com/saml/sp/metadata/Okta-users

Default Relay State

Name ID Format

Unspecified

Response

Signed

Assertion Signature

Signed

Signature Algorithm

RSA_SHA256

Digest Algorithm

SHA256

Assertion Encryption

Unencrypted

SAML Single Logout

Disabled

authnContextClassRef

PasswordProtectedTransport

Honor Force Authentication

Yes

SAML Issuer ID

http://www.okta.com/${org.externalKey}

Hello everyone,

I might be a little late to the party, but I just wanted to throw my two cents into the mix and mention we have successfully been using Cisco ASA VPN with Okta SAML since this past June. We are using it with our test ASA VPN and another ASA VPN that is only used for a small subset of users. We have not rolled it out to our production VPN yet because of a known issue with the Apple iOS Cisco AnyConnect app and an odd login issue with VPN from Okta dealing with empty secondaryEmail attributes that we may have just cleared up. The iOS AnyConnect issue is when it prompts for MFA and you leave the AnyConnect app to go to Okta Verify and approve the MFA challenge, the AnyConnect app ends the authentication because you left the AnyConnect app. Cisco is aware of the issue, but no ETA on when the fix will be in place. We're eager to implement in production as it has worked well apart from the issues I have listed.

-Dan