atorg.opensaml.ws.security.provider.BasicSecurityPolicy.evaluate(BasicSecurityPolicy.java:51) To avoid this issue and provide almost the same result, use a Custom Login Page. atorg.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262) We may find the entityID element by downloading the metadata XML from ADFS @ https:// <ADFS-SPN>/federationmetadata/2007-06/federationmetadata.xml This section contains some of the common problems that may prevent a user from logging into Learn via SAML authentication with ADFS when The specified resource was not found, or you do not have permission to access it or Sign On Error! atorg.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64) atorg.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64) atorg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) In my experience, I have run into trouble where the IdP has been trying to send SAML-attributes to the ASA that the ASA is not able to interpret or understand which would show up in the debugging log as: Here the SAML-attributeAuthnContextDeclRefis sent to the ASA from the IdP after authentication is successful, but the ASA does not know what this attribute is and therefore the VPN-authentication fails. INFO | jvm 1 | 2016/09/06 20:33:07 | - /saml/SSO at position 2 of 10 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter' Contact your administrator for assistance. If you need to have multiple words in your Connection Profile, use a dash or underscore between them. at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) To set the relying party created for Blackboard Learn to send the attributes as unencrypted, open a PowerShell and execute the following command, replacing TargetName with the name of the Relying Party Trust that is in the ADFS Management Console under Trust Relationships > Relying Party Trusts. atorg.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) atorg.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:184) the remainder of the configuration for the tunnel group was unchanged. After entering the login credentials on the ADFS login page, a Sign On Error! Problem: IdP is configured for the wrong Assertion Consumer Service URL. [saml] webvpn_login_primary_username: SAML assertion validation failed . atjava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) atorg.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:143) atblackboard.auth.provider.saml.customization.filter.BbSAMLExceptionHandleFilter.doFilterInternal(BbSAMLExceptionHandleFilter.java:30) Find answers to your questions by entering keywords or phrases in the Search bar above. [SAML] NotBefore:2017-09-05T23:59:01.896Z NotOnOrAfter:2017-09-06T00:59:01.896Z timeout: 0, [SAML] consume_assertion: assertion is expired or not valid. atorg.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) I created "Profile" directory under the AnyConnect directory and put XML file inside it. The ASA would not generate the XML file at http://URL/saml/sp/metadata/ProfileName. I have tried both removing the saml config from tunnel-group and added it again, but also rebooted the appliance. [CDATA[// >