Multiple Group Policies for Anyconnect VPN user via SAML
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-19-2025 07:14 AM
Hello,
Is it possible to apply multiple group policies to anyconnect user via SAML group claim? We have similar setup like this one:https://www.cisco.com/c/en/us/support/docs/security/secure-client-5/221173-configure-dynamic-group-policy-assignmen.html
but instead of Okta we are using Azure AD. I know that article is saying that this setup works only if a user is a member of only one group, but I would like to have users in multiple groups thus they would get multiple group policies assigned
- Labels:
-
AnyConnect
-
Remote Access
-
VPN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-20-2025 12:09 AM
Your connection profile (aka tunnel-group) can use Azure AD (Entra ID) SAML-based authentication. Your authorization result can then dynamically reassign users to different group-policies depending on their group membership. If they belong to multiple groups, multiple of which are considered for assignment then it is a bit tricky. The logic uses an alphabetic first match in that case.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-20-2025 01:21 AM
Actually if I have a user in multiple groups, user is not able to connect to the VPN at all and getting this error: "Login denied, unauthorized connection mechanism, contact your administrator"
