Phase 3: ASA SAML Service Provider

! Create trustpoint for Entra (or ISE if Option A) signing cert
crypto ca trustpoint ENTRA-SAML-SIGNING
 enrollment terminal
 no ca-check
crypto ca authenticate ENTRA-SAML-SIGNING
! Paste Base64 certificate from Phase 1

! Verify
show crypto ca certificate ENTRA-SAML-SIGNING

webvpn
 saml idp https://<ise-fqdn>/admin/saml/idp
  url sign-in https://<ise-fqdn>/portal/SSOLoginResponse.action
  url sign-out https://<ise-fqdn>/portal/SSOLogoutResponse.action
  trustpoint idp ENTRA-SAML-SIGNING
  trustpoint sp ASA-SAML-SP-CERT
  base-url https://<asa-external-fqdn>
  no signature
  no force re-authentication

webvpn
 saml idp https://sts.windows.net/<entra-tenant-id>/
  url sign-in https://login.microsoftonline.com/<tenant-id>/saml2
  url sign-out https://login.microsoftonline.com/<tenant-id>/saml2
  trustpoint idp ENTRA-SAML-SIGNING
  trustpoint sp ASA-SAML-SP-CERT
  base-url https://<asa-external-fqdn>
  no signature
  no force re-authentication

! Bind SAML to the VPN tunnel group
tunnel-group <tunnel-group-name> webvpn-attributes
 authentication saml
 saml identity-provider https://sts.windows.net/<tenant-id>/
 ! or ISE entity ID if Option A

! If ASA already has an identity cert for WebVPN, reuse it
! Otherwise generate:
crypto key generate rsa label ASA-SAML-SP modulus 2048
crypto ca trustpoint ASA-SAML-SP-CERT
 enrollment self
 subject-name CN=<asa-external-fqdn>
 keypair ASA-SAML-SP
crypto ca enroll ASA-SAML-SP-CERT

! Export SP metadata for Entra registration
show saml metadata <tunnel-group-name>

! DAP can match on SAML assertion attributes
! Example: match Entra group claim for tiered VPN access
dynamic-access-policy-record VPN-FULL-ACCESS
 priority 10
 ! Match SAML group attribute from Entra

dynamic-access-policy-record VPN-LIMITED
 priority 20
 ! Default fallback

show saml metadata <tunnel-group-name>
show webvpn saml idp
show running-config tunnel-group <name> webvpn-attributes