"Start VPN when Cisco Secure Client is started" and SAML

Jack G · ‎08-21-2023

I configured RAVPN with SAML authentication. I'm using external browser and Azure/Entra for the identity provider. From an Azure/Entra joined computer, I tried to use "Start VPN when Cisco Secure Client is started", but I'm being prompted for usernames and passwords as well as MFA. Is there a way to get the VPN to automatically connect when using SAML without the user having to enter a username password, and MFA? Basically, trying to get the VPN to connect once the user signs on to the machine.

Milos_Jovanovic · ‎08-23-2023

Hi @Jack G,

Yes, you can use AnyConnect/Secure client feature to automatically start VPN connection. For that, you'll need to modify your VPN profile (AnyConnect XML file) and enable feature AutoConnectOnStart to true:

<AutoConnectOnStart UserControllable="true">true</AutoConnectOnStart>

This would auto-initiate your VPN connectivity. Regarding your other question about being prompted for credentials instead of SSO, assuming your VPN configuration is correct and you are indeed invoking SAML authentication from ASA/FTD, whether SSO will work or it will prompt you for credentials is up to Azure AD/Entra ID side and it's Conditional Access policies. Conditional access policy is what controls if you are allowed to sign in or not, is MFA required or not, what is the validity of the SSO and similar, so if you are prompted for credentials each time, then you'll need to investigate Azure AD/Entra ID logs, to see what made it do so. But, in general, yes, it is possible to do SSO, without prompting user for credentials + MFA each time, you just need to configure it that way.

Kind regards,

Milos

Jack G · ‎08-25-2023

Thank you very much, I'll look into conditional access settings, etc.