This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 53%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESB%3C/text%3E%3C/svg%3E)
hello
I am using Cisco AnyConnect on a aVPN to pass authentication to the Azure AD
I have configured the SAML strings
please see attached for failure message 
What steps/guide have you used to set this feature up?
hello
we configured the idp string and url login & logout on under the webvpn configuration
we configured the idp string under the tunnel group
from what I understand the customer has input the tunnel group name and base url on the AD configuration
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
Thank you for reaching out to us. As I understand you are trying to configure AnyConnect VPN with Azure AD, during the process you got this error AADSTS700016.
AADSTS700016 - This means the application you are trying to access does not exist in the organization you are signing into or I would say the AppId of the application (sent as client_id) sent to Azure AD is not valid. Double check this is the correct AppId.
AppId is not the same as the Applications Object ID, Service Principal or also called Enterprise Apps Object ID.
saml idp [entityID] configuration under the ASA's webvpn configuration does not match the IdP Entity ID found in the Azure AD metadata.
Let me know if you have any further questions.
thank you for your help -- > I am sending using /sending the SAML iDP provided by the Admin team managing the AD
this customer has a primary AnyConnect SAML working
the device I am working on will be used for DR
I checked and both SAML idP url from the Primary & Secondary are the same
therefore I thought the connection would terminate in the correct location in AD
Q are there unique parameters the AD Admin team need to configure their side ? for example Tunnel Group name & base login URL ?
@Sean Byrne Yes, Tunnel Group name and base login URL should be unique,
Refer to these articles
https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/cisco-anyconnect
https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215935-configure-asa-anyconnect-vpn-with-micros.html
Also, I noticed there is video talks about similar integration https://www.youtube.com/watch?v=ORC0_0wsbQk.
Let me know if this information does not help, we can connect offline and troubleshoot further on the same.
Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.
Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.
sorry for the delay --the customer is still testing
thanks for all your help
I will update you with the results of the testing