Symptom
Authentication flow with IdP is successfull, IdP redirects user back to ASA with URL containing SAML assertion.
ASA fails to process/validate SAML assertion properly when name of tunnel-group contains "."
No specific error in debug is seen.
"Wrong URL." is displayed in the browser after failed connection attempt.
Conditions
AnyConnect with SAML authentication on ASA.
Tunnel-group name containing "."
Workaround
Do not use "." in name of tunnel-group.
Further Problem Description
By looking and HTTP capture, we can see that ASA responds with HTTP 302 Moved Temporarily for HTTP post carrying SAML assertion.
In working scenario ASA responds with HTTP OK.
