Re: AnyConnect 4.7 Embedded Browser for SAML Uses IE

KevinKrzewinski10443 · ‎03-09-2020

When using AnyCOnnect 4.7 the embedded browser use IE when authenticating with SAML. This causes issues in that we get 500 errors with first login. In addition, when connected to DUO/MFA , IE won't render all of the HRML correctly and we can't enter the code when users select token as an option. Any ideas on how to use a different embedded browser?

Cristian Matei · ‎03-16-2020

Hi,

Have you tried changing the "default browser" of the operating system?

Regards,

Cristian Matei.

KevinKrzewinski10443 · ‎03-16-2020

The default browser is set to Chrome.

Cristian Matei · ‎03-16-2020

Hi,

Are you using Windows 7 an IE 11 minimum? It seems it has to be IE on Windows devices.

Regards,

Cristian Matei.

KevinKrzewinski10443 · ‎03-16-2020

It is a Windows 10 machine.

BusterDoney · ‎09-14-2020

Same issues here. I haven't found a way to change the embedded browser of the AnyConnect client to something other than IE. You can lean on your account rep or Duo Success Team since Duo has been acquired by Cisco and can internally escalate a feature request.

The embedded IE browser is a poor choice to use by a company that specializes in security in my opinion. At least let us use a browser that supports FIDO2/webauthn for modern security and cert-based security keys.

-Buster

Mel Chandler · ‎07-28-2022

Has this been fixed/updated in 4.10 client to use Edge, Chrome, Safari or Firefox?

stsargen · ‎07-29-2022

Hi Mel,

AnyConnect 4.10.05095 now defaults to using WebView2 for the embedded browser assuming the runtime is installed on the PC. Please see the release notes.

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect410/release/notes/release-notes-anyconnect-4-10.html

AnyConnect 4.10.05095 New Features

This is a maintenance release that includes the following enhancements, and that resolves the defects described in AnyConnect 4.10.05095.

On Windows, the AnyConnect embedded browser now defaults to WebView2, as long as the WebView2 runtime is installed. If you need to revert back to the legacy embedded browser control, add DWORD registry value UseLegacyEmbeddedBrowser set to 1 to one of the following registry keys:
- (64-bit machine) Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Cisco\Cisco AnyConnect Secure Mobility Client
- (32-bit machine) Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Cisco\Cisco AnyConnect Secure Mobility Client
- (32-bit or 64-bit machine) Computer\HKEY_CURRENT_USER\SOFTWARE\Cisco\Cisco AnyConnect Secure Mobility Client

Marcelo Morais · ‎12-15-2022

Hi

although it's an old topic, I would like to add the following:

1. from AnyConnect 4.6 to AnyConnect 4.10.03104 an enhanced version of SAML integration with an Embedded Browser has replaced the Native (External) Browser Integration from previous releases.
2. AnyConnect 4.10.04065 supports AnyConnect VPN SAML External Browser (as an optional add-on, via the External Browser Package external-sso-4.10.04065-webdeploy-k9.pkg)
3. since AnyConnect 4.10.04071 you don't need the External Browser Package
4. since AnyConnect 4.10.05095, on Windows, the AnyConnect Embedded Browser is Microsoft Edge WebView2
5. for SAML External Browser use, you MUST perform configuration using:
. ASA 9.17.1+ (via CLI command external-browser enable in the config-tunnel-webvpn mode)
. ASDM 7.17.1+
. FDM 7.1+

Please take a look at the Post: SAML External Browser with ASA 9.14 and Anyconnect 4.10.

Hope this helps !!!