Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
38778
Views
20
Helpful
31
Replies

AnyConnect, SAML and attribute mapping; is this possible?

lynne.meeks
Level 1
Level 1

‎06-05-2019 08:37 AM

We have been using the AnyConnect client and LDAP attribute maps to place clients in specific VPN groups on our Cisco ASA.   We also use DUO for MFA in AnyConnect connections.  This works fine, but clients often find the AnyConnect interface to be somewhat confusing in conjunction with MFA.

 

We'd like to use SAML authentication for AnyConnect clients in order to give clients the same interface they are used to when accessing other services. We have gotten this to successfully work with Anyconnect after some trial and error; pretty slick.

 

However, the missing piece is the attribute mapping. It appears that attribute maps can only be assigned to AAA servers on the ASA, and I can find no way to map attributes to VPN groups when using SAML instead of AAA.    The configuration guide states "This SAML SSO SP feature is a mutual exclusion authentication method. It cannot be used with AAA and certificate together."

 

Has anyone else run into this situation? Any suggestions?

 

thanks.

12 people had this problem
Labels:
0 Helpful
31 Replies 31

lynne.meeks
Level 1
Level 1
In response to dvizzle

‎04-01-2024 06:42 AM

You need to assign the LDAP attribute map to the local LDAP server that you have configured:

aaa-server  LDAP (Inside) host 111.222.222
...
ldap-attribute-map VPN_Group_Assignment

Then in the VPN tunnel-group config you set SAML as the authentication method and the LDAP server as the Authorization server:

tunnel-group DefaultWEBVPNGroup general-attributes
authorization-server-group LDAP

tunnel-group DefaultWEBVPNGroup webvpn-attributes
authentication saml
saml identity-provider https://abc.def.com

 

Hope this helps. 

Lynne

 

0 Helpful

Smartlink IT
Level 1
Level 1
In response to lynne.meeks

‎10-16-2024 11:27 AM

Hello. Lynne. We are having this same issue and I cannot get the Group Policy to apply correctly when connecting to the VPN using SAML. We already have LDAP configured for users currently connecting to the VPN and LDAP does apply the correct Group Policy when users connect in that fashion. But the SAML connection doesn't select a Group Policy, the default group policy gets applied to the user when connecting with SAML.

Here is the LDAP config:
...
ldap attribute-map SSLVPN
map-name memberOf Group-Policy
map-value memberOf "CN=SSLVPN,OU=Remote Access,OU=IT,OU=Groups,OU=*****,DC=*****,DC=net" SSLVPN
map-value memberOf "CN=SSLVPN-ATTONLY,OU=Remote Access,OU=IT,OU=Groups,OU=*****,DC=*****,DC=net" SSLVPN_ATT_ONLY_USERS
map-value memberOf "CN=SSLVPN-Remote-ATT,OU=Remote Access,OU=IT,OU=Groups,OU=*****,DC=*****,DC=net" SSLVPN_ATT
map-value memberOf "CN=SSLVPN-Remote-IT,OU=Remote Access,OU=IT,OU=Groups,OU=*****,DC=*****,DC=net" SSLVPN_IT_USERS
map-value memberOf "CN=SSLVPN-UPWORK1,OU=Remote Access,OU=IT,OU=Groups,OU=*****,DC=*****,DC=net" SSLVPN_IT_UpWork1
...

The tunnel-group config:
...
tunnel-group SAML_SSO type remote-access
tunnel-group SAML_SSO general-attributes
address-pool AnyConnect_SSLVPN
authorization-server-group *****.net
tunnel-group SAML_SSO webvpn-attributes
authentication saml
group-alias SAML_SSO enable
group-url https://*****.*****.com/SSO enable
saml identity-provider https://sts.windows.net/*****/
...

As I said, the users currently connect without SSO and get applied a group policy from the LDAP attribute, but the SAML connection only applies the default group policy with no access.

I have tried to remove and reapply the SAML identity-provider too. 

0 Helpful
Customers Also Viewed These Support Documents