Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
464
Views
0
Helpful
1
Replies

AnyConnect Client cannot support multiple SAML Identity Providers

PeteL
Level 1
Level 1

‎10-26-2023 02:46 PM - edited ‎10-26-2023 02:48 PM

I am using Cisco AnyConnect 4.10.0703 either desktop or mobile (Secure Client 5.0.02602 on iOS) against two separate Google GSuite Identity Providers on separate ASAs. One is for my work and the other for my home connection. Using GSuite I have setup SAML IDPs that are used against two separate GSuite tenancies for the two ASA connections and can login fine using my Google Account against the two ASAs fine. I assume if I was using Entra AAD SAML federations I would have the same problem but haven't tested it. However when I attempt to authenticate to the other endpoint because the AnyConnect client has cached the SAML credentials from the other provider locally and I get an "app_not_configured_for_user" error from Google.

PeteL_0-1698355881542.png

If I remove everything under "%APPDATA%\..\Local\Cisco\Cisco AnyConnect Secure Mobility Client\EBWebView" on the windows desktop, and for the iOS device I need to un-install AnyConnect and re-install it again from the app store.

I found the folder in this community post https://community.cisco.com/t5/vpn/issues-with-embedded-anyconnect-web-bbrowser-and-webview2/td-p/4756802 as removing the "EBWebView" folder is only documented here on the community as a work-around.

After doing that I can authenticate to the other ASA using the correct credentials.

For Windows it isn't such a pain as I rename the folder to be "EBWebView.Work" vs "EBWebView.Home". But that seems to be the only work-around.

Any suggestions on what can be done?

Labels:
0 Helpful
1 Reply 1

JP Miranda Z
Cisco Employee
Cisco Employee

‎10-27-2023 08:44 AM

Hi PeteL,

 

Can you confirm if you have force re-authentication in the SAML idp config under webvpn?

In theory from the AnyConnect perspective we should not be caching any information when using the embedded browser:

  • Since Cisco Secure Client with the embedded browser uses a new browser session on every VPN attempt, users must re-authenticate every time, if the IdP uses HTTP session cookies to track logon state. In this case, the Force Re-Authentication setting in Configuration > Remote Access VPN > Clientless SSL VPN Access > Advanced > Single Sign On Servers > has no effect on Cisco Secure Client initiated SAML authentication.

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect410/administration/guide/b-anyconnect-admin-guide-4-10/b_AnyConnect_Administrator_Guide_4-4_chapter_01101.html

 

Hope this helps!

 

-JP-

0 Helpful
Customers Also Viewed These Support Documents