SAML 2.0 with a native (external) browser is available in AnyConnect 4.4 and AnyConnect 4.5 and ASA release 9.7.x, 9.8.x, and 9.9.1. The new enhanced version with embedded browser requires you to upgrade to AnyConnect 4.6 and ASA 220.127.116.11 (or later), 18.104.22.168 (or later), or 22.214.171.124 (or later).
When upgrading or deploying the headend or client devices with the embedded browser SAML integration, take note of these scenarios:
If you deploy AnyConnect 4.6 first, both the native (external) browser and the embedded browser SAML integration function as expected without further action. AnyConnect 4.6 supports either an existing or updated ASA version, even when you deploy AnyConnect first.
If you deploy the updated ASA version (with the embedded browser SAML integration) first, you must in turn upgrade AnyConnect, because, by default, the updated ASA releases are not backward compatible with the native (external) browser SAML integration in releases prior to AnyConnect 4.6. The upgrade for any existing AnyConnect 4.4 or 4.5 clients occurs after authentication and requires you to enable thesaml external-browsercommand in tunnel group configuration.