Multiple Group Policies for Anyconnect VPN user via SAML

macejko8 · ‎02-19-2025

Hello,

Is it possible to apply multiple group policies to anyconnect user via SAML group claim? We have similar setup like this one:https://www.cisco.com/c/en/us/support/docs/security/secure-client-5/221173-configure-dynamic-group-policy-assignmen.html

but instead of Okta we are using Azure AD. I know that article is saying that this setup works only if a user is a member of only one group, but I would like to have users in multiple groups thus they would get multiple group policies assigned

Marvin Rhoads · ‎02-20-2025

Your connection profile (aka tunnel-group) can use Azure AD (Entra ID) SAML-based authentication. Your authorization result can then dynamically reassign users to different group-policies depending on their group membership. If they belong to multiple groups, multiple of which are considered for assignment then it is a bit tricky. The logic uses an alphabetic first match in that case.

macejko8 · ‎02-20-2025

Actually if I have a user in multiple groups, user is not able to connect to the VPN at all and getting this error: "Login denied, unauthorized connection mechanism, contact your administrator"

Multiple Group Policies for Anyconnect VPN user via SAML

Anyconnect VPN SAML SSO with Azure IdP, Multi-Tunnel Groups

SAML Certificate for SWG User Identity Expiring May 13, 2025

Updated SAML Certificate for SWG User Identity is Now Available

Cisco Secure Client (AKA AnyConnect) Group Policy-based Deployment

AnyConnect: Azure AD SAML SSO