Has anyone used AnyConnect SAML auth (on ASA) using Azure AD SSO as the IdP?
I have it configured and can log in ok, but it's prompting me for my credentials where is should support Single Sign On since my PC is AAD joined...
Has anyone been able to make it work using SSO with either this or any other SAML IDP?
I'm using ASAv 18.104.22.168, and Anyconnect 4.6.02074, Windows 10.
I did wonder if its related to the new embedded browser (since IE can authenticate SSO without prompting for credentials to all other AAD integrated apps ok). I tried the "saml external-browser" command under the tunnel-group config to switch it back, but there was no noticeable difference, it still appeared to be using the embedded browser.
Yes it’s working :)
it required this command to not prompt for auth and use Sso:
Saml idp <uri>
No force re-authentication
The biggest frustration with this solution is there is apparently no way to have the ASA evaluate claims that are sent back and use them for Dynamic Access Policies. But if all users will get the same policy it seems to work great!