Re: AnyConnect, SAML and attribute mapping; is this possible? - Page 2

lynne.meeks · ‎06-05-2019

We have been using the AnyConnect client and LDAP attribute maps to place clients in specific VPN groups on our Cisco ASA. We also use DUO for MFA in AnyConnect connections. This works fine, but clients often find the AnyConnect interface to be somewhat confusing in conjunction with MFA.

We'd like to use SAML authentication for AnyConnect clients in order to give clients the same interface they are used to when accessing other services. We have gotten this to successfully work with Anyconnect after some trial and error; pretty slick.

However, the missing piece is the attribute mapping. It appears that attribute maps can only be assigned to AAA servers on the ASA, and I can find no way to map attributes to VPN groups when using SAML instead of AAA. The configuration guide states "This SAML SSO SP feature is a mutual exclusion authentication method. It cannot be used with AAA and certificate together."

Has anyone else run into this situation? Any suggestions?

thanks.

lynne.meeks · ‎01-15-2021

Rasmus,

Did you assign the attribute map to the AAA server?

aaa-server LDAP_Server (inside) host xxx.xxx.xxx.xxx
ldap-attribute-map TEST-group-assign

Does group mapping work when you are not using SAML but using the LDAP server for authentication?

Lynne

rasmusan1 · ‎01-18-2021

@lynne.meeks thanks for replying !

Yes I have assigned the attribute map to LDAP server used for authorization.

great point about not using SAML - just tried with RADIUS, and this is in fact exact same issue.

I have created a Cisco TAC case to figure this out.

rasmusan1 · ‎01-19-2021

Just a follow up on this, after having TAC case with Cisco, as this might help others...

Turns out that LDAP attribute map is case sensitive. My attribute was as follows:

ldap attribute-map TEST-group-assign

map-name memberof Group-Policy

map-value memberof CN=VPN_Group,DC=domain,DC=local GPO-TEST

however "memberof" has to be with capital O - so "memberOf".

after making this minot change, everything started to work as anticipated

patoberli · ‎02-10-2021

Did you manage to get this working with more than one group profile? I seem to be able to correctly match a user, but only to the one profile I configured fot the memberOf. I would need to have this matching ~10 groups though.

I assume I might be able to create 10 ldap server groups, each with a different matching, but I hope there is a better (scaling) way to do this.

[edit]

It actually might just be a bad representation in ASDM, I'm currently testing with several attribute maps, it seems one server group can use several maps, although that's not really visible in ASDM.

Dinesh Moudgil · ‎02-10-2021

Generally, if the LDAP mapping results in multiple values for an attribute, the final attribute value will be chosen as follows:

First, select the value(s) with the smallest number of characters.
If this results in more than one value, choose the value that is the lowest in alphabetical order.

Here are some use case examples

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html#anc14

Thank you,

Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

patoberli · ‎02-10-2021

I would need the memberOf attribute select different group profiles, depending on the ldap value of the respective user.

I seem to only manage to do this for one memberOf value, because one attribute map doesn't allow several of those. And I can only have one map per ldap server group it seems.

What I try:

ldap attribute-map attrmap_users
map-name memberOf Group-Policy
map-value memberOf CN=group1,OU=groups,DC=domain,DC=ch ac_profile1
map-name group2 Group-Policy
map-value group2 CN=group2,OU=groups,DC=domain,DC=ch ac_profile2

But this will only match the group1, not the group2. And the map-name memberOf can only be used once in the same attribute-map.

patoberli · ‎02-10-2021

I found a working solution

Here the details:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html#anc9

One little detail, you always need to delete the map-name before you can adjust it, by adding it completely fresh (at least I didn't find another way, ASDM is doing it fine though)

It does have one big caveat, it works in alphabetical order

abulthuis · ‎01-20-2020

Did you run into any issues around AnyConnect SBL not working after switching to SAML?

webabc123 · ‎08-08-2020

@abulthuis wrote:
Did you run into any issues around AnyConnect SBL not working after switching to SAML?

Did you figure this out? I have a similar question and it nobody is replying.

https://community.cisco.com/t5/vpn/anyconnect-sbl-combined-with-saml-user-authentication/m-p/4128838

smolz · ‎08-10-2020

We ended up creating a separate group for SBL as it doesn't get used much, there was an open bug on it but I just got a notification the other day that is was closed with no planned fix.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvm86891

Shakti Kumar · ‎06-18-2019

This is currently an enhancement

CSCvi62970

Please work with your account team to fix this.

Thanks

Shakti

timetrade · ‎01-23-2022

It appears SAML Attribute mapping was added on December 1, 2021 with 9.17.

Support for SAML Attributes with DAP constraint

Support has been added for SAML assertion attributes which can be used to make DAP policy selections. It also introduces the ability for a group-policy to be specified by the cisco_group_policy attribute.

jordan.cox · ‎01-24-2022

Awesome, thanks for that information!

dvizzle · ‎03-29-2024

Could you please explain how to set up LDAP attribute mappings to work with SAML?

Even Cisco support just points me to this thread instead of actually having information on how to do it.

I am using SAML auth through Azure.
I have local LDAP configured.

I wish to map Active Directory group membership to ASA Group Policy.
I configured the LDAP Attribute map.

The part where you say "The key for us was to set the AAA server for the SAML profile to use authorization i/of authentication"

Is not clear.

Thanks

lynne.meeks · ‎04-01-2024

You need to assign the LDAP attribute map to the local LDAP server that you have configured:

aaa-server LDAP (Inside) host 111.222.222
...
ldap-attribute-map VPN_Group_Assignment

Then in the VPN tunnel-group config you set SAML as the authentication method and the LDAP server as the Authorization server:

tunnel-group DefaultWEBVPNGroup general-attributes
authorization-server-group LDAP

tunnel-group DefaultWEBVPNGroup webvpn-attributes
authentication saml
saml identity-provider https://abc.def.com

Hope this helps.

Lynne