VPNaaS SAML Authentication Fails with "Decryption of relay state failed" Error Using Duo IdP

Available Languages

Download Options

  • PDF     (5.2 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (87.4 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (73.3 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:February 19, 2026
Document ID:225503

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Contents

Issue

When attempting to establish a VPNaaS connection using Secure Client Remote Access with SAML authentication and Duo as the Identity Provider (IdP), this error is observed:

  • Failed when processing the SSO authentication request.Please contact your System Administrator
  • Decryption of relaystate failed

Authentication with the same IdP and Duo configuration works successfully for ZTNA (Zero Trust Network Access), but fails for VPN connections. There are two separate applications configured in Duo for ZTNA and VPN, both using the same IdP.

Environment

  • Technology: Solution Support (SSPT - contract required)
  • Subtechnology: Secure Access - Secure Client Remote Access (VPN, Posture, Private Resource)
  • Authentication Method: SAML with Duo IdP
  • Two Duo applications configured: one for ZTNA, one for VPN
  • Authentication works for ZTNA, fails for VPN
  • Software Version: ALL
  • No recent hardware/software version changes specified

Resolution

 The issue was resolved by correcting the configuration of the Entity ID and Assertion Consumer Service (ACS) URL on the Duo application for VPN. The correct metadata was downloaded from Secure Access and uploaded to the VPN Duo app, which resolved the SAML relaystate decryption error.

  1. Login to CSA Dashboard.  Go to Connect > Enduser Connectivity -> Virtual Private Networks. Find out the Profile you are connected to. 
  2. Click that Profile and Edit. Go to the Authentication tab.
  3. Download the SAML Metadata for Secure Access.
  4. Check entityID="https://X.vpn.sse.cisco.com/saml/sp/metadata/saml" and <AssertionConsumerService index="0" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://X.vpn.sse.cisco.com/+CSCOE+/saml/sp/acs?tgname=Profilename"></AssertionConsumerService>
  5. Ensure sure that entityID and AssertionConsumerService matches the Duo Application configured for VPN SSO Authentication.

Cause

Misconfiguration of the Entity ID and ACS URL on the Duo VPN application resulted in the SAML relaystate decryption failure. The correct configuration was not present in Duo for VPN, even though ZTNA authentication was working with the same IdP. Updating the Duo VPN application with accurate metadata from Secure Access resolved the issue.

Related Content

Revision History

Revision Publish Date Comments
1.0
11-Mar-2026
Initial Release
TAC Authored

Contributed by Cisco Engineers

  • Amit Arora
    Technical Consulting Engineer

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products