Skip to main content
Cisco Meraki

AnyConnect Onelogin SAML Configuration

AnyConnect VPN Onelogin SAML Configuration 

This document highlights how to setup authentication with Onelogin using SAML for AnyConnect VPN on the MX Appliance. SAML is an XML-based framework for exchanging authentication and authorization data between security domains. It creates a circle of trust between the user, a Service Provider (SP), and an Identity Provider (IdP) which allows the user to sign in a single time for multiple services.

SAML authentication requires MX firmware version 16.13+ or 17.5+

For additional information, refer to the AnyConnect configuration guide.

Do not use AnyConnect predefined option in Onelogin (that option only works for the ASA/FTD platforms) for AnyConnect SAML configuration when setting up AnyConnect authentication with the MX Appliance

To set up AnyConnect authentication on the MX with Onelogin, follow the steps below: 

Step 1. Logon to Onelogin and click on 'Administration'

Step 2. Click on Applications → Applications

Step 3. Click on 'add app'

Step 4. In the search field, search for 'test connector', and choose 'SAML Test Connector (Advanced)' for SAML 2.0 (not 1.1)

Step 5. Create a SAML Test Connector (SP) or (Advanced) and fill out an appropriate name e.g. Meraki AnyConnect VPN

Step 6. If my AnyConnect Server URL is "vtk-qpjgjhmpdh.dynamic-m.com", Onelogin should be configured as follows:

Audience (EntityID): https://vtk-qpjgjhmpdh.dynamic-m.com/saml/sp/metadata/SAML

Recipient: https://vtk-qpjgjhmpdh.dynamic-m.com/saml/sp/metadata/SAML

ACS (Consumer) URL Validator: https:\/\/vtk-qpjgjhmpdh\.dynamic-m\.com.*.

ACS (Consumer) URL: https://vtk-qpjgjhmpdh.dynamic-m.com/saml/sp/acs

Step 7. Click on SSO (left pane), then More Actions (upper right) => SAML Metadata, and download the SAML metadata.

Step 8. Configure your AnyConnect Server on the Meraki Dashboard 

Set Authentication Type to SAML
clipboard_eb554d3f08c06a73be434d25bf8c4dd6e.png

Configure your AnyConnect URL - https://vtk-qpjgjhmpdh.dynamic-m.com 
(add “:port” to the end of the URL if using a port other than the default port 443)
Please ensure your AnyConnect URL starts with "https://"

clipboard_e0a37a57b4842b78f6b02c74f35f51d5a.png

  • Upload the SAML Metadata file downloaded in step 7 above

    clipboard_e47ec052ce3a9884987ce40759cc06dcc.png  

  • Save your configuration.

  • Was this article helpful?