CSCvm86891 - ENH SAML support with SBL (Start Before Logon) - 1
Anyone else clamoring for this?
SAML support with SBL would be absolutely perfect for what our organization is trying to accomplish. It would bridge the gap between Always-on VPN, with the security handled almost entirely via certificates stored on the local workstation, and organizations like mine where we would prefer to require multi-factor authentication. I would assume it has to be possible from a technical standpoint, since I know that vendors such as Duo can enable SAML with MFA at initial login.
If Cisco enables support for SAML with SBL, we can provide VPN services to our remote workforce with a high level of security while also ensuring that critical system services and network connections can be established prior to logon.
We were looking for this capability as well, but rec'd the following from Cisco:
“Unfortunately we have serious reservations about implementing a browser based capability during SBL since all the components run as SYSTEM user. We don’t have plans to implement this enhancement at this time.”
Unsure if this is something they are still considering since the enhancement is still open...but based on the above feedback...it doesn't sound promising.
I do understand the reservation if using the OS embedded browser. However, we need to be able to use SAML auth with Start Before Logon (SBL). This is crippling the ability to use AnyConnect in a secure fashion with Azure MFA when deploying the remote workforce. Basically SBL is useless to us. The only option is to use Always-on VPN which is currently against our security best practice.
1. Asset Recovery EMEAR - Scope2. Cisco Returns Portal – Quick Overview3. Update your RMA – Options and Walkthrough4. POWR Tool and How to Return - Quick guide and Scenarios5. Returned but not closed - Frequent Scenarios6. I cannot return my faulty part. ...
Full analysis if the problem
The root cause behind this problem is the delay in sync between CUCM and CCX.
CCX and CUCM has an automated sync mechanism which might vary from 5 - 10 minutes based on various parameters.
Also there is an option to sync...
1. Asset Recovery EMEAR - Scope· Supporting faulty Service RMA returns· Providing and creating Outstanding Open RMA reports to partners· Handling invoice creation for non-returns· Initiating Certificates of Destruction for parts containing security data· ...