02-19-2023 11:42 PM
Earlier this months Cisco Meraki released SAML Authentication for Cisco Secure Clients (formerly known as Cisco AnyConnect). You can find the respective documentation here and until now you need to ask Meraki's support to enable the feature for you (just raise a simple ticket to them).
Notable is that you need a firmware version on your MX which is 16.3+ or 17.5+. In my case I configured this with the beta version 18.105.
On JumpCloud I used a "Custom SAML App"-Connector to get it configured.
As mentioned in Meraki's KB, the config naturally only supports SP-Initiated logins and therefore I uncheck the box to show the application in the User Portal:
Following the KB's to set up SAML on the IDP side of things you end up with the following entries for JumpCloud while configuring the Connector:
SP Entity ID: https://<YOUR_FQDN_HERE>/saml/sp/metadata/SAML
ACS URL: https://<YOUR_FQDN_HERE>/saml/sp/acs
Login URL: same as ACS URL
SAML Subject NameID Format: SAML 2.0 NameID Persistent
Declare Redirect Endpoint: checked (enabled)
Lastly assign your User Groups to be entitled for using this VPN-Connection.
Now you can grab the JumpCloud Metadata-File and upload it to the Meraki Admin Dashboard.
Once done and saved, you're actually ready to fire up your Cisco Secure Client:
If you need guidance on how to deploy and configure the Cisco Secure Client (AnyConnect), please check out one of my previous posts: Deploy and manage Cisco AnyConnect clients on macOS
Note at the end: I haven't tested this with an Conditional Access Policy applied to this connector yet
Thanks for reading as always.
02-20-2023 11:40 PM
Update: Tested Conditional Access Policies here as well.
Ideally you add the Cisco Secure Client to the Trusted Applications under Settings:
New to the site? Take a look at these additional resources:
Ready to join us? You can register here.