Meraki

Community

AntConnect + SAML + per-user group policy

PhilipDAth
Kind of a big deal
Kind of a big deal
3 weeks ago
3 weeks ago

AntConnect + SAML + per-user group policy

This question keeps coming up.  Could we get a documentation to describe how to enable per-user group policy assignment when using SAML please.

 

Here is an old thread describing one of the ways (no email required these days).

https://community.meraki.com/t5/Security-SD-WAN/AnyConnect-SAML-Group-Policy-assignment/m-p/245425/h...

 

4 Replies 4
Scratcher9
Comes here often
Tuesday
Tuesday

I tried enabling this a few years back.  It worked, but there was a bug in the code which I have not seen as fixed in release notes.  Essentially on a VPN connection, this config would only see or honour the default GP.  If you had other GP's configured, they wouldn't apply.  My scenario is all default VPN users get one policy, that's all we need which limits access to a VLAN and RDP. The next group policy is admins who should have all access.  This didn't work, admins would only get the default GP.   I hope this is fixed as I would like to MFA VPN ASAP. 

0 Kudos
In response to Scratcher9
PhilipDAth
Kind of a big deal
Kind of a big deal
Tuesday
Tuesday

I use this feature at several clients, and have for a good 2 years.

 

It 100% works.

0 Kudos
In response to Scratcher9
PhilipDAth
Kind of a big deal
Kind of a big deal
Tuesday
Tuesday

My guess - the Entra side is not configured correctly to pass the Meraki group policy to apply.  An example is here:

https://community.meraki.com/t5/Security-SD-WAN/AnyConnect-SAML-Group-Policy-assignment/m-p/245513/h...

 

0 Kudos
In response to PhilipDAth
Scratcher9
Comes here often
Wednesday
Wednesday

Perhaps, although a ticket was opened and the tech indicated that he felt this was a known bug in the code per some internal knowledge base.  I don't recall doing the mapping, perhaps that was the missing piece in the end and they incorrect. This is what was used

AnyConnect Azure AD SAML Configuration - Cisco Meraki Documentation

 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
© 2025 Cisco Systems, Inc.