Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
405
Views
1
Helpful
3
Replies

Secure Client VPN Always-On – Allow Hosts for SAML Authentication

cheng.cathy
Level 1
Level 1

‎09-10-2025 06:42 AM

We’re using Azure SAML authentication with Cisco Secure Client, and are planning to enable Always-On VPN. Since the VPN client must reach Azure SAML endpoints to complete Single Sign-On, we need to add the relevant URLs to the Always-On allow host list.

So far, I’ve added login.microsoftonline.com and login.microsoft.com, but authentication is still failing. Has anyone successfully configured this? If so, could you please share the complete list of allow hosts you’re using?  Thanks

Labels:
0 Helpful
3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

‎09-10-2025 07:26 AM

i have allowed below URL and works :

*.microsoftonline.com
*.windows.net
*.msappproxy.net

you can find more information :

https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/migrate-adfs-saml-based-sso

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

cheng.cathy
Level 1
Level 1

‎09-10-2025 04:01 PM - edited ‎09-10-2025 04:01 PM

Thanks Balaji, i have add these domains but still get "failed to connect to single sso url"

below is the script for the VPN connect always on, is there anything missing? 

 

<AutomaticVPNPolicy>true
<TrustedDNSDomains>XXXXXXX</TrustedDNSDomains>
<TrustedNetworkPolicy>DoNothing</TrustedNetworkPolicy>
<UntrustedNetworkPolicy>Connect</UntrustedNetworkPolicy>
<BypassConnectUponSessionTimeout>false</BypassConnectUponSessionTimeout>
<AlwaysOn>true
<ConnectFailurePolicy>Closed
<AllowCaptivePortalRemediation>false
<CaptivePortalRemediationTimeout>5</CaptivePortalRemediationTimeout>
</AllowCaptivePortalRemediation>
<ApplyLastVPNLocalResourceRules>false</ApplyLastVPNLocalResourceRules>
</ConnectFailurePolicy>
<AllowVPNDisconnect>true</AllowVPNDisconnect>
<AllowedHosts>*.microsoftonline.com,*.windows.net,*.windows.net</AllowedHosts>
<SuppressConnectionRetries>false</SuppressConnectionRetries>
</AlwaysOn>
</AutomaticVPNPolicy>
0 Helpful
Customers Also Viewed These Support Documents