AnyConnect Per-App VPN and SSO support on iOS

hirtanak2 · ‎02-02-2017

Hi community members,

I have a couple of questions around AnyConnect and iOS.
I'll appreciate any advice.

Issues: Per-App VPN app failed SSO login. While All apps in full VPN success with SSO. Something is different. I'd like to use Per-App VPN with SSO.

Environment: ASA 9.x and AnyConnect 4.0.0556 iOS 9.x and 10.x
Other Environment: the policy is delivered by MS intunes

Technical Information includes my guess...
This app uses SAML 2.0. So the first access to this web app transfers to ADFS. Bundle ID (of this app) is configured.But the authentication packets are not clear for Bundle ID. Because Kerberos packet is based on basic iOS function.
I could not find a support info and a way to configure for SSO and AnyConnect with Per-App VPN mode so far.

Here is my understanding step by step.
1. iOS has per app VPN function and SSO function separately
https://www.apple.com/uk/ipad/business/docs/iOS_Deployment_Tech_Ref_May14_UK.pdf

2. AnyConnect uses this scheme with Bundle ID

3. AnyConnect should care about SSO (in this case)
• SAML 2.0 SSO support applies to Clientless VPN only. AnyConnect is not supported
http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/vpn/asa-95-vpn-config.pdf

According to above doc, AnyConnect does not support SSO..
However, I'm not sure this case fully meets above case or not.

Questions:
1. Can I use Per-App VPN and SSO on iOS at the same time? If so, how do I do?
2. Recently, many apps use SSO, federation in the enterprise. So VPN device should work as SSO proxy and VPN client should support VPN with SSO clearly (for ip routing and VPN). But AnyConnect does not support at this time. Is this correct or misunderstanding?