Symptom

I have 2 connection profiles, one called Tunnel-Admin and Tunnel-User. The Cisco ASA incorporates those names in the SAML entity ID and reply. This required me to set up 2 Azure AD SSO apps which in return means I have 2 certificates, one for each connection/app. *Cisco Connections* Tunnel-Admin Tunnel-User *Azure AD Apps - Both apps share the same IDP url but have different certificates. * Tunnel-Admin Tunnel-User *Cisco SAML Configurations* Only 1 is possible Options: 1. Somehow change the way the Cisco uses the connection name in the identifier 2. Allow 2 certificates to be used in the idp 3. Figure out a way to set up multiple SAML idp's

Conditions

Configuring two different tunnel-groups in ASA and using Azure as the IDP requires multiple certificates in the ASA side IDP configuration. There is no API to support this in SAML/ASA

Workaround

Solution 1 Configure all profiles in IDP server with single certificate. The same certificate should be configured as SAML IDP trustpoint in ASA. All tunnel groups should be re-enabled to use new SAML IDP config. Solution 2 Maintain different IDP entity IDs for different IDP certificates on IDP Server. Configure all entity IDs on ASA with their respective certificate trustpoints. All tunnel groups should be re-enabled to use new SAML IDP config.

Further Problem Description