When a user is connecting to the VPN using this method it is really cool. It is cool because AnyConnect has a built in web browser that pops up and shows whatever authentication web site you configure. In production this website is our ADFS server's web page. In the lab I setup for this the website is Microsoft's Azure AD authentication page, the same one you get when logging into outlook.office.com, once I enter my username there I'm then redirected to my on-premise ADFS server where the username is filled in automatically, after typing my password I'm redirected back to Azure AD's page for an MFA challenge. If you sync password hashes to Azure/O365 then you don't need the ADFS part at all and the whole authentication happens against Azure AD.



I suppose the real cool part is that when you point AnyConnect's built-in web browser at Azure AD's authentication page you take advantage of all the great security features of Azure AD like Microsoft's MFA using their "Authenticator" app, their "Conditional Access", and their "Azure AD Identity Protection". Also since the authentication happens in Azure AD you don't need an on premise MFA server you use theirs as a service.



SSO is the other obvious cool part. Once user's connect to VPN they have a SAML token for Azure AD and can use that to access any other resources secured by Azure AD authentication. So they get SSO to outlook.office.com, any Azure AD App Proxy pages or other web applications you've published from Azure AD.

@howardgoble  

Ah, yes, that was exactly what I was trying to understand.

 

I am being asked to setup SSO using AnyConnect. At this point, we don't use outlook.office.com, any Azure AD App Proxy pages or other web applications published in Azure, so I was getting really confused as to how this would be beneficial to our company. 

 

Thanks!

If your user's mailboxes are in Exchange Online then I think the Outlook client program can take advantage of the SSO as well. To me that is less of a benefit since most users just login to Outlook once and have it save their passwords.

Can someone confirm if this solution requires AnyConnect Apex license and the WebVPN feature? Does this process only secure the WebVPN page with Azure MFA? Is it possible to apply this to AnyConnect client based connections?

Not sure about the license question, but it does work with AnyConnect client. I tested it with a 4.8 version.

I have a few dumb questions. In the configure Basic SAML portion, where does one find the Identifier (entity ID) and the reply URL? If we have already generated the certificate, created the trustpoint, and uploaded it to the ASA without the Identifier and reply URL being configured will we need to regenerate the cert and reupload it?

 

Thank you,

@bartlettdn @he enityID is just the name you give the Enterprise Application in Azure AD. It has to be the same in Azure AD and on your ASA, but it can be anything you want.

The reply URL is gathered from the XML response when you visit your ASA in a browser at this example URL:

SP Metadata:

https://my.asa.com/saml/sp/metadata/AC-SAML (Also your Entity ID - Azure App Section 1)

 

In the metadata XML look for AssertionCustomerService, the Location field in this tag is the Reply URL for the Azure App In SSO Section 1.

Hi

I have a customer(at about 100 remote workers) wanting to use Azure AD as idp and is looking for a solution like this. I dont have a lot of Cisco experience and need advice on which appliance to look at. Is this supported on all ASA Firewalls, how about FirePower series and so on? 

I appreciate any advice. 

This works on all ASA firewalls and also on the FirePower series, if you order the ASA image. With the FirePower you have to operating systems you can run, ASA or FTD. I haven't got experience with the newer FTD image (which offers newer features in regards to IDS/IPS than ASA), but the ASA image is vastly better (way more features) for VPN connections. So if you need stable VPN, get a FirePower with ASA image and the needed licenses.

Here a manual (with many of the restrictions of FTD) for VPN on FTD: https://www.cisco.com/c/en/us/support/docs/network-management/remote-access/212424-anyconnect-remote-access-vpn-configurati.html

I can confirm that FirePower with FTD OS doe NOT support Azure MFA integration. FTD does not support SAML yet, which is required. However I have heard you can still integrate AzureMFA with FTD AnyConnect if you use an intermediate RADIUS server that support Azure integration. You have several options in the RADIUS space, such as Cisco ISE, Microsoft NPS. Just make sure what ever RADIUS you pick support Azure integration (SAML).

I have added Cisco ISE into the mix as well.

 

https://packetswitch.co.uk/cisco-anyconnect-with-azure-ad/

 

 

We currently have Windows NPS server assigning group policy through RADIUS, based on AD security group membership. We are testing Azure MFA with NPS extension installed on the NPS server. I wonder if the Azure AD SAML SSO setup can replaces the NPS server. Are we better off with the NPS server?

We also have DAP enforcing policies based on group-policy and hostscan posture assessment of the remote client. I hope this setup will continue working since this happens after the MFA authentication.

I will appreciate your reply.

For those who need it/asked about it, @lynne.meeks commented here with the solution to applying different group policies through LDAP Attribute Mapping after switching to SAML from LDAP:

https://community.cisco.com/t5/vpn/anyconnect-saml-and-attribute-mapping-is-this-possible/m-p/3925577/highlight/true#M152212

 

In short, in ASDM, in your Connection Profile, go to Authorization and select your LDAP Server Group. As long as your LDAP Server Group is set to use UPN as the Naming Attribute, then the LDAP Mapping will work as normal. The CLI instructions are also there. This is assuming that you previously used LDAP Attribute Mapping with LDAP Authentication with your AnyConnect Profile to assign different Group Policies, and switched it over to using SAML authentication with the instructions on this thread from the OP @Sloanstar 

Thank you for this great post!

 

Unfortunately it does not work for me. I have some issues:

 

1. User (Windows 10) connects via AnyConnect (Version 4.8) to Cisco ASA

2. Default browser opens and redirection to O365 portal page to login

3. User enters Username/Password and then MFA follows

4. The browser shows a page from AnyConnect Secure Mobility Client with message "You are disconnected. You may now close this browser tab"

5. Then the browser opens a new tab with the same page mentioned at 4 again and again in a loop until the user cancels the connection attempt.

 

 

 

 

 

 

On the Azure App the login protocols it shows successful authentication of the user. It seems that the browser does not forward the authentication result back to the Cisco ASA to progress the login attempt.

 

Anyone faced the same issue or have any clue?

Hi all,

Does anyone know if we can use one(1) Enterprise Application with multiple "Entity ID" & "Reply URL" pairs ?

For example, if we have the same remote-access tunnel group named "CompanyVPN" in three(3) different locations (USA/EU/APAC), can we have one(1) unified Enterprise Application in order to authenticate the users instead of three(3) individual Apps (one per location) ?

Something like:
https://<USA>.domain.com/saml/sp/metadata/CompanyVPN
https://<USA>.domain.com/+CSCOE+/saml/sp/acs?tgname=CompanyVPN 

https://<EU>.domain.com/saml/sp/metadata/CompanyVPN
https://<EU>.domain.com/+CSCOE+/saml/sp/acs?tgname=CompanyVPN

https://<APAC>.domain.com/saml/sp/metadata/CompanyVPN
https://<APAC>.domain.com/+CSCOE+/saml/sp/acs?tgname=CompanyVPN

I am concerned though by the "Default" option that is mandatory when adding "Entity ID" & "Reply URL" into the Enterprise Application.