08-21-2023 01:38 PM
I configured RAVPN with SAML authentication. I'm using external browser and Azure/Entra for the identity provider. From an Azure/Entra joined computer, I tried to use "Start VPN when Cisco Secure Client is started", but I'm being prompted for usernames and passwords as well as MFA. Is there a way to get the VPN to automatically connect when using SAML without the user having to enter a username password, and MFA? Basically, trying to get the VPN to connect once the user signs on to the machine.
08-23-2023 12:57 AM
Hi @Jack G,
Yes, you can use AnyConnect/Secure client feature to automatically start VPN connection. For that, you'll need to modify your VPN profile (AnyConnect XML file) and enable feature AutoConnectOnStart to true:
<AutoConnectOnStart UserControllable="true">true</AutoConnectOnStart>
This would auto-initiate your VPN connectivity. Regarding your other question about being prompted for credentials instead of SSO, assuming your VPN configuration is correct and you are indeed invoking SAML authentication from ASA/FTD, whether SSO will work or it will prompt you for credentials is up to Azure AD/Entra ID side and it's Conditional Access policies. Conditional access policy is what controls if you are allowed to sign in or not, is MFA required or not, what is the validity of the SSO and similar, so if you are prompted for credentials each time, then you'll need to investigate Azure AD/Entra ID logs, to see what made it do so. But, in general, yes, it is possible to do SSO, without prompting user for credentials + MFA each time, you just need to configure it that way.
Kind regards,
Milos
08-25-2023 07:59 AM
Thank you very much, I'll look into conditional access settings, etc.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide