06-05-2019 08:37 AM
We have been using the AnyConnect client and LDAP attribute maps to place clients in specific VPN groups on our Cisco ASA. We also use DUO for MFA in AnyConnect connections. This works fine, but clients often find the AnyConnect interface to be somewhat confusing in conjunction with MFA.
We'd like to use SAML authentication for AnyConnect clients in order to give clients the same interface they are used to when accessing other services. We have gotten this to successfully work with Anyconnect after some trial and error; pretty slick.
However, the missing piece is the attribute mapping. It appears that attribute maps can only be assigned to AAA servers on the ASA, and I can find no way to map attributes to VPN groups when using SAML instead of AAA. The configuration guide states "This SAML SSO SP feature is a mutual exclusion authentication method. It cannot be used with AAA and certificate together."
Has anyone else run into this situation? Any suggestions?
thanks.
01-15-2021 05:41 AM
Rasmus,
Did you assign the attribute map to the AAA server?
aaa-server LDAP_Server (inside) host xxx.xxx.xxx.xxx
ldap-attribute-map TEST-group-assign
Does group mapping work when you are not using SAML but using the LDAP server for authentication?
Lynne
Lynne
01-18-2021 02:17 AM
@lynne.meeks thanks for replying !
Yes I have assigned the attribute map to LDAP server used for authorization.
great point about not using SAML - just tried with RADIUS, and this is in fact exact same issue.
I have created a Cisco TAC case to figure this out.
01-19-2021 10:14 AM
Just a follow up on this, after having TAC case with Cisco, as this might help others...
Turns out that LDAP attribute map is case sensitive. My attribute was as follows:
ldap attribute-map TEST-group-assign
map-name memberof Group-Policy
map-value memberof CN=VPN_Group,DC=domain,DC=local GPO-TEST
however "memberof" has to be with capital O - so "memberOf".
after making this minot change, everything started to work as anticipated
02-10-2021 01:50 AM - edited 02-10-2021 01:55 AM
Did you manage to get this working with more than one group profile? I seem to be able to correctly match a user, but only to the one profile I configured fot the memberOf. I would need to have this matching ~10 groups though.
I assume I might be able to create 10 ldap server groups, each with a different matching, but I hope there is a better (scaling) way to do this.
[edit]
It actually might just be a bad representation in ASDM, I'm currently testing with several attribute maps, it seems one server group can use several maps, although that's not really visible in ASDM.
02-10-2021 02:12 AM
Generally, if the LDAP mapping results in multiple values for an attribute, the final attribute value will be chosen as follows:
First, select the value(s) with the smallest number of characters.
If this results in more than one value, choose the value that is the lowest in alphabetical order.
Here are some use case examples
Thank you,
Dinesh Moudgil
P.S. Please rate helpful posts.
02-10-2021 03:54 AM
I would need the memberOf attribute select different group profiles, depending on the ldap value of the respective user.
I seem to only manage to do this for one memberOf value, because one attribute map doesn't allow several of those. And I can only have one map per ldap server group it seems.
What I try:
ldap attribute-map attrmap_users
map-name memberOf Group-Policy
map-value memberOf CN=group1,OU=groups,DC=domain,DC=ch ac_profile1
map-name group2 Group-Policy
map-value group2 CN=group2,OU=groups,DC=domain,DC=ch ac_profile2
But this will only match the group1, not the group2. And the map-name memberOf can only be used once in the same attribute-map.
02-10-2021 04:40 AM
I found a working solution
Here the details:
One little detail, you always need to delete the map-name before you can adjust it, by adding it completely fresh (at least I didn't find another way, ASDM is doing it fine though)
It does have one big caveat, it works in alphabetical order
01-20-2020 10:57 AM
Did you run into any issues around AnyConnect SBL not working after switching to SAML?
08-08-2020 12:35 PM
@abulthuis wrote:Did you run into any issues around AnyConnect SBL not working after switching to SAML?
Did you figure this out? I have a similar question and it nobody is replying.
https://community.cisco.com/t5/vpn/anyconnect-sbl-combined-with-saml-user-authentication/m-p/4128838
08-10-2020 09:20 AM
We ended up creating a separate group for SBL as it doesn't get used much, there was an open bug on it but I just got a notification the other day that is was closed with no planned fix.
06-18-2019 11:52 AM
This is currently an enhancement
CSCvi62970
Please work with your account team to fix this.
Thanks
Shakti
01-23-2022 10:41 AM
It appears SAML Attribute mapping was added on December 1, 2021 with 9.17.
Support for SAML Attributes with DAP constraint | Support has been added for SAML assertion attributes which can be used to make DAP policy selections. It also introduces the ability for a group-policy to be specified by the cisco_group_policy attribute. |
01-24-2022 02:27 PM
03-29-2024 08:12 AM
Could you please explain how to set up LDAP attribute mappings to work with SAML?
Even Cisco support just points me to this thread instead of actually having information on how to do it.
I am using SAML auth through Azure.
I have local LDAP configured.
I wish to map Active Directory group membership to ASA Group Policy.
I configured the LDAP Attribute map.
The part where you say "The key for us was to set the AAA server for the SAML profile to use authorization i/of authentication"
Is not clear.
Thanks
04-01-2024 06:42 AM
You need to assign the LDAP attribute map to the local LDAP server that you have configured:
aaa-server LDAP (Inside) host 111.222.222
...
ldap-attribute-map VPN_Group_Assignment
Then in the VPN tunnel-group config you set SAML as the authentication method and the LDAP server as the Authorization server:
tunnel-group DefaultWEBVPNGroup general-attributes
authorization-server-group LDAP
tunnel-group DefaultWEBVPNGroup webvpn-attributes
authentication saml
saml identity-provider https://abc.def.com
Hope this helps.
Lynne
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide