cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
424
Views
10
Helpful
2
Replies
jknetservices
Beginner

CSCvm86891 - ENH SAML support with SBL (Start Before Logon) - 1

Anyone else clamoring for this? 

SAML support with SBL would be absolutely perfect for what our organization is trying to accomplish.  It would bridge the gap between Always-on VPN, with the security handled almost entirely via certificates stored on the local workstation, and organizations like mine where we would prefer to require multi-factor authentication.  I would assume it has to be possible from a technical standpoint, since I know that vendors such as Duo can enable SAML with MFA at initial login. 

If Cisco enables support for SAML with SBL, we can provide VPN services to our remote workforce with a high level of security while also ensuring that critical system services and network connections can be established prior to logon.

2 REPLIES 2
eric_stephens
Beginner

We were looking for this capability as well, but rec'd the following from Cisco:

 

“Unfortunately we have serious reservations about implementing a browser based capability during SBL since all the components run as SYSTEM user. We don’t have plans to implement this enhancement at this time.”

 

Unsure if this is something they are still considering since the enhancement is still open...but based on the above feedback...it doesn't sound promising.

I do understand the reservation if using the OS embedded browser. However, we need to be able to use SAML auth with Start Before Logon (SBL). This is crippling the ability to use AnyConnect in a secure fashion with Azure MFA when deploying the remote workforce. Basically SBL is useless to us. The only option is to use Always-on VPN which is currently against our security best practice.