I currently have an FTD managed by FMC and an RA-VPN that uses Radius for AAA. Radius(Similar to DUO) that connects to the AD and queries for these users. We only use the DefaultWebVPN with a default Group Policy of No-Access, and within the Connection Profile we have the rest of the group policies. These group policies are assigned dynamically, that is, the group policy is assigned depending on the AD group to which they belong. Additionally, the user doesn't select a profile; they simply log in with their username, password, and 2FA. The policy selects itself.

My problem arises because now we want to migrate to SSO with SAML in AzureAD, and from what I've been investigating, the logic is completely different; it seems it can only be used for authentication. The other thing is that it doesn't allow me to prevent the user from having to select the profile. But beyond this, I've found very little documentation that would allow me to do this without affecting end users.

Is this possible with SAML? Do you have any documentation that allows configuring a RAVPN without the user selecting a profile and allowing dynamic assignments?

I found this documentation but it doesn't fully meet what I was looking for.

Configure Dynamic Group Policy Assignment with SAML on Secure Firewall for Secure Client - Cisco

Configure SAML Auth for Multiple RAVPN Connection Profiles on FTD - Cisco

Any help is welcome.