Cisco Anyconnect - SAML

alexandru.mateescu · April 17, 2026, 8:56am

Hi all

I am trying to setup Cisco Anyconnect with Auth0 SAML.

I have created my AD connector and added it to the enterprise and also setup all SAML as i would do for MS Azure.

When i try to login i get the Auth0 login page i login and then i get “CSRF token mismatch.”

What could be wrong?

Has anyone some pointers on how to set this up?

Thanks

nik.baleca · April 17, 2026, 7:30pm

Hi @alexandru.mateescu

Welcome to the Auth0 Community!

The “CSRF token mismatch” error you are seeing is generated by the Cisco ASA , not Auth0. It happens when the ASA receives the successful SAML login response from Auth0, but cannot match it to the original VPN session cookie it created when you clicked “Connect”.

This is almost always caused by one of three things:

The AnyConnect embedded browser dropping modern session cookies
->By default, Cisco AnyConnect uses an older, embedded mini-browser (often tied to Internet Explorer on Windows) to render the Auth0 login page. This embedded browser frequently mishandles modern SameSite=None cookie attributes. Because the cookie is dropped during the redirects, the ASA receives the Auth0 SAML assertion but has no local cookie to tie it to, resulting in a CSRF mismatch.
->You might need to configure Cisco AnyConnect to use the user’s default OS browser (Chrome, Edge, Safari) instead of the embedded browser.
A mismatch in the exact FQDN or Tunnel Group in your Auth0 Callback URL.
->When Auth0 posts the SAML Assertion back to the Cisco ASA, the ASA needs to know exactly which VPN Tunnel Group the user belongs to. If the URL is even slightly off (e.g., mismatched capitalization), the ASA will reject it.
->Go to your Auth0 Dashboard > Applications > Select your Cisco App > Addons > SAML2 Web App . Ensure your Application Callback URL perfectly matches your ASA’s FQDN and explicitly includes the target Tunnel Group parameter.
A known software bug in your specific Cisco ASA/FTD firmware version.
->Sometimes, the ASA sends a RelayState to Auth0 to track the session, but if the SAML addon isn’t configured to bind it properly, it gets dropped on the return trip.
->In that same Auth0 SAML2 Addon configuration window, scroll down to the Settings JSON block and ensure you haven’t explicitly disabled bindings or overridden the default RelayState behavior. The default empty {} or standard binding is usually sufficient, but if you customized it for Azure previously, it might be dropping the state.

Let me know if you have any other questions!

Kind Regards,
Nik

system · May 1, 2026, 7:30pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Csrf_detected in SP initiated login Get Help login	3	1762	August 3, 2022
SAML login, invalid_token for SPA application Get Help saml , spa , samlp , service-provider	3	5431	August 14, 2019
Issue with Auth0 and AWS (SAML) Get Help	2	4473	August 1, 2018
No connections enabled for the client, but SAML connection is enabled Get Help	8	8172	August 26, 2021
How can I add Auth0 as IdP into ADFS? Get Help saml , auth0 , adfs , samlp , saml2	5	5762	November 8, 2018

Cisco Anyconnect - SAML

Related topics