cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
286
Views
5
Helpful
2
Replies
Roman Samoylov
Beginner

Anyconect SAML and multiple group-policies

Is there a way to provide users with different GPs based on their Azure AD group membership while using SAML?

Most popular SAML guide's about providing only default group-policy to tunnel-group.

1 ACCEPTED SOLUTION

Accepted Solutions
Josue Brenes
Cisco Employee

Yes, you can use an external AAA server with protocols as Radius or LDAP to perform the authorization part.

This authorization server can send a specific group-policy for the connection.

For example, if using Radius, the server can send attribute 25 which is for the group-policy assignment.

If LDAP, attribute ldap mapping can be used, link for config:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html

Then, you would configure the AAA server under the SAML tunnel-group with the command: "authorization-server-group".

 

Rate if it helps.

 

Regards,

Josue Brenes

TAC - VPN Engineer.

View solution in original post

2 REPLIES 2
Josue Brenes
Cisco Employee

Yes, you can use an external AAA server with protocols as Radius or LDAP to perform the authorization part.

This authorization server can send a specific group-policy for the connection.

For example, if using Radius, the server can send attribute 25 which is for the group-policy assignment.

If LDAP, attribute ldap mapping can be used, link for config:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html

Then, you would configure the AAA server under the SAML tunnel-group with the command: "authorization-server-group".

 

Rate if it helps.

 

Regards,

Josue Brenes

TAC - VPN Engineer.

View solution in original post

You knew it! Seems to be working OK, thank you!

 

BTW is there a way to evade 'Cisco AnyConnect Login, Pick an account' window after you've successfully authorized once? Could be good to have one single click to start and complete the connection.