We currently use the Anyconnect LDAPS method as using that in conjunction with internal LDAP servers is the only solution that allows us to dynamically assign a group-policy to Anyconnect users based on their group membership. What is the DUO solution to this once LDAPS is EOL? Is there a SAML2 method that will allow us to select group-policy upon login?
I think though, there is a wrinkle in that the current Duo SSO SAML application for ASA doesn’t send group (memberof) information today. The Generic Duo SSO SAML application does support sending role attributes as a service provider attribute. So, you should be able to federate the ASA with Duo SSO using the generic SAML app to specify the group attribute to use for DAP.
Feel free to contact Duo Support for assistance with deploying that generic SAML app with the ASA.