We are configuring users to sign into AnyConnect using SAML SSO plus Duo MFA after logging into Windows.
I have heard that this SSO method doesn’t work with the SBL users may need to use if they don’t have cached credentials.
What options are available for pre-login VPN access for these users?
Can SBL be setup with a different profile that only accesses the login servers and uses machine certificates as authentication and then, after login, they disconnect and log in using their SAML SSO if they want to access additional internal resources?
Can Management VPN tunnel pre-logon be combined with SAML SSO after logging into their Windows profile?
Is there a better option?