08-22-2021 06:15 PM - edited 08-22-2021 06:16 PM
We recently configured Azure AD MFA to work with Cisco anyconnect and users are redirected to SAML when they select the connection profile. Everything is working fine users authenticate through Microsoft portal.
The challenge is that any subsequent VPN connections automatically redirect to SAML and don't give user chance to choose any connection profile. Because of single-sign-on the user is not prompted for any credentials, the VPN just connects.
How do I stop the auto redirection to SAML on the Cisco Anyconnect client? I want the user to have the option to select the connection profile so that they can choose MFA or not? Or have the user get an option to sign out so that there are prompted for Azure credentials again?
Solved! Go to Solution.
08-22-2021 11:21 PM - edited 08-22-2021 11:22 PM
Thanks for the prompt response, I think I managed to establish the issue. In our setup we configured no force re-authentication which means that SAML doesn't need user to authenticate directly, but can rely on other single-sign-on device to auto authenticate. Below is the much better explanation.
Use force re-authentication to cause the identity provider to authenticate directly rather than rely on a previous security context when a SAML authentication request occurs. This setting is the default; therefore, to disable, use no force re-authentication .
08-22-2021 11:01 PM
Hi @Tinei,
You need to have multiple tunnel-groups on your ASA/FTD. One/some of them will be with SAML as authentication method, while others would have plain AAA method. If you have SAML configured on all tunnel-groups, then it is up to the conditional access policies on Azure side to determine whould they prompt the user for MFA or not, and how frequent.
From the client side, you should have multiple profiles mapping to different tunnel-groups, so the user can choose to which profile he/she connects. Once profile is selected, authentication regular process starts, depending on your ASA/FTD configuration.
BR,
Milos
08-22-2021 11:21 PM - edited 08-22-2021 11:22 PM
Thanks for the prompt response, I think I managed to establish the issue. In our setup we configured no force re-authentication which means that SAML doesn't need user to authenticate directly, but can rely on other single-sign-on device to auto authenticate. Below is the much better explanation.
Use force re-authentication to cause the identity provider to authenticate directly rather than rely on a previous security context when a SAML authentication request occurs. This setting is the default; therefore, to disable, use no force re-authentication .
06-13-2022 09:52 AM
Hello Tinei,
Does this means that now users are going through credentials and MFA every time? even if user connect to VPN and reconnecting to VPN after one hour ?
06-13-2022 10:28 AM
06-13-2022 03:36 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide