We have been using the AnyConnect client and LDAP attribute maps to place clients in specific VPN groups on our Cisco ASA. We also use DUO for MFA in AnyConnect connections. This works fine, but clients often find the AnyConnect interface to be somewhat confusing in conjunction with MFA.
We'd like to use SAML authentication for AnyConnect clients in order to give clients the same interface they are used to when accessing other services. We have gotten this to successfully work with Anyconnect after some trial and error; pretty slick.
However, the missing piece is the attribute mapping. It appears that attribute maps can only be assigned to AAA servers on the ASA, and I can find no way to map attributes to VPN groups when using SAML instead of AAA. The configuration guide states "This SAML SSO SP feature is a mutual exclusion authentication method. It cannot be used with AAA and certificate together."
Has anyone else run into this situation? Any suggestions?
thanks.
