Skip to main content
Cisco Meraki

AnyConnect Azure AD SAML Configuration

AnyConnect Azure Active Directory SAML Configuration

This document highlights how to setup authentication with Azure AD using SAML for AnyConnect VPN on the MX Appliance. SAML is an XML-based framework for exchanging authentication and authorization data between security domains. It creates a circle of trust between the user, a Service Provider (SP), and an Identity Provider (IdP) which allows the user to sign in a single time for multiple services. This feature can only be enabled by Meraki Support. Please contact Meraki Support to have this feature enabled.

SAML authentication requires MX firmware version 16.13+ or 17.5+

For additional information, refer to the AnyConnect configuration guide.

 

 

Add Cisco AnyConnect from the Microsoft App Gallery

Step 1.  Log in to Azure Portal and select Azure Active Directory

Step 2. As shown in this image, select Enterprise Applications

Screen Shot 2021-11-30 at 10.21.17 AM.png

Step 3. Now select New Application, as shown in this image.

Step 4. In the Add from the gallery section, type AnyConnect in the search box, select Cisco AnyConnect from the results panel, and then add the app. 

Step 5. Select the Single Sign-on menu item, as shown in this image. 

Step 6. Select SAML, as shown in the image.

Step 7. Edit Section 1 with these details.


If my AnyConnect Server URL is "
vtk-qpjgjhmpdh.dynamic-m.com" (this URL is different for every network),  the Entity ID and Reply URL will be configured as follows:

a. Identifier (Entity ID)  - https://vtk-qpjgjhmpdh.dynamic-m.com/saml/sp/metadata/SAML 

b. Reply URL (Assertion Consumer Service URL) - https://vtk-qpjgjhmpdh.dynamic-m.com/saml/sp/acs

 

Step 8. In the SAML Signing Certificate section, Download the Federation Metadata XML file and save it on your computer. 

Screen Shot 2021-11-30 at 10.25.19 AM.png

Step 9. Configure your AnyConnect Server on the Meraki Dashboard

  • Set Authentication Type to SAML
    clipboard_eb554d3f08c06a73be434d25bf8c4dd6e.png

  • Configure your AnyConnect URL - for example https://vtk-qpjgjhmpdh.dynamic-m.com (this URL is different for every network)
    (add “:port” to the end of the URL if using a port other than the default port 443)
    Please ensure your AnyConnect URL starts with "https://"

    clipboard_e0a37a57b4842b78f6b02c74f35f51d5a.png

  • Upload the Federation Metadata XML file downloaded in step 8 above

    clipboard_e47ec052ce3a9884987ce40759cc06dcc.png  

  • Save your configuration.

Assign Azure AD User to the App

In this section, Test1 is enabled to use Azure single sign-on, as you grant access to the Cisco AnyConnect app. 

Step 1.  In the app's overview page, select Users and groups and then Add user

Step 2.  Select Users and groups in the Add Assignment dialog. 

Step 3.  In the Add Assignment dialog, click the Assign button. 

 

  • Was this article helpful?