Meraki

Community

Cisco Secure Client (AnyConnect) with SAML – Doesn’t Remember Server URL or Okta Credentials

Solved
Roey1984
Building a reputation
a month ago
a month ago

Cisco Secure Client (AnyConnect) with SAML – Doesn’t Remember Server URL or Okta Credentials

 

Hi all,

We're rolling out Cisco Secure Client (AnyConnect) with SAML (Okta) authentication for our users.

One of our users installed the Linux client (cisco-secure-client-linux64-5.1.8.122) on Ubuntu and successfully connected using the AnyConnect server URL.

The Okta SSO flow (email, password, 2FA) worked well on the first connection. However, on reconnect:

  • The server URL is not remembered — it has to be re-entered manually.
  • The Okta login window does not retain any credentials or session — users must re-authenticate from scratch every time.

I tested this on my Windows laptop as well and observed the same behavior — the client forgets the server URL after each session.

Questions:

  1. Is there a way to have the AnyConnect client remember the VPN server URL on both Linux and Windows?
  2. Can the Okta SAML session be cached (even partially) to avoid full re-authentication every time?

Would appreciate any insights or best practices from others who’ve encountered this.

Thanks!

Roey1984_0-1750251038442.png

 

Labels:
0 Kudos
1 Accepted Solution
In response to Roey1984
KarstenI
Kind of a big deal
Kind of a big deal
a month ago
a month ago

What should be modified from default depends on your requirements. The most relevant part is the "Server List," where you add your MX URL and a useful name.

And yes, this is for all desktop operating systems.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

View solution in original post

0 Kudos
10 Replies 10
Mloraditch
Kind of a big deal
Kind of a big deal
a month ago
a month ago

I can't speak to Okta, but you can create a profile to save client settings like the URL:

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/Client_deployment#AnyC...

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
KarstenI
Kind of a big deal
Kind of a big deal
a month ago
a month ago

Did you upload a profile to the MX? If so, the client should present the Name of the connection to the user after the first connect when the profile is downloaded to the client.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
In response to KarstenI
Roey1984
Building a reputation
a month ago
a month ago

Thank you!

I installed the Client Profile Editor, and configured the server URL; I`ll upload it to the server as XML.

It will apply to all OS`s, right? (Windows \ Linux \ MacOS) 

I guess we cant do a thing in terms of saving the Okta Credentials? 

Anything special you think I should edit here? or leave it as default?

 

Roey1984_1-1750252257313.png

 

This is the AnyConnect conf in our MX:

Roey1984_2-1750252332570.png

 

thank you so much

 

 

0 Kudos
In response to Roey1984
KarstenI
Kind of a big deal
Kind of a big deal
a month ago
a month ago

What should be modified from default depends on your requirements. The most relevant part is the "Server List," where you add your MX URL and a useful name.

And yes, this is for all desktop operating systems.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
In response to KarstenI
Roey1984
Building a reputation
a month ago
a month ago

Cool

thank you buddy!

PhilipDAth
Kind of a big deal
Kind of a big deal
a month ago
a month ago

You can use my simple profile editor, and on that page it says where you have to save the profile on a Linux machine.

https://ifm.net.nz/cookbooks/online-anyconnect-profile-editor.html

 

PhilipDAth
Kind of a big deal
Kind of a big deal
a month ago
a month ago

> users must re-authenticate from scratch every time.

 

Open a support ticket and ask them to set "forceauthn" to false.

 

In response to PhilipDAth
Roey1984
Building a reputation
a month ago
a month ago

Hey Philip,

Thanks for the link to the profile editor — super helpful!

Quick question though: I was under the impression that if I upload the profile to the Dashboard, it would automatically push it to the correct user directory. Is that not the case?

Also, regarding the re-authentication bit — yeah, it's a pain. But if we set "forceauthn" to false, wouldn't that skip the IDP (Okta in our case) login entirely? How would the user get authenticated then?

0 Kudos
In response to Roey1984
PhilipDAth
Kind of a big deal
Kind of a big deal
a month ago
a month ago

Correct, it will push.  Tip - upload it with no extension.  The dashboard always add a .xml extension, even if the extension is already .xml.

 

Forceauthn means it uses SSO.  It will use whatever policy you have defined in Okta.  If you say a login is required once per week - that is what will happen.

In response to PhilipDAth
Roey1984
Building a reputation
a month ago
a month ago

 

Perfect!

 

Thank you for this Philip!, appreciate your help with this

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.