In addition to SBL not living up to expectations the overall experience with Cisco AnyConnect SAML authentication is horrible due to AC 4.x using it's own browser that doesn't keep cookies, therefore our AAD login always asks the user if they want to...

I just ran into this problem and was floored to think you would have to disable SBL, that might solve the problem but the real solution is the option in the profile editor, uncheck "Suspend AnyConnect during Connected Standby" Problem solved.  

I am in the exact same position, all VPN access hedges on Azure AD SAML authentication and with our Active Directory, there are frequent times our global users need to VPN in before login to resolve cached credential issues. It's not an option to NOT...