Hi folks,
Have any of you configured Cisco AnyConnect to work with Azure as an IDP? We have it working in production (our internal users love it) but when we create a domain account for contractors to complete some work on our network, they are getting Azure error AADSTS90072 because the AnyConnect embedded browser is automatically passing their company's credentials (not what we want). Screenshot edited below to remove sensitive data.
For example, once the contractor hits CONNECT in the AnyConnect app, JOHNSMITH@VENDOR.COM is being automatically logged in. Instead of the account we want him to login with, JSMITH.MYCOMPANY. The Cisco AnyConnect embedded browser gives us no way to log him out of JOHNSMITH@VENDOR.COM, and the Azure SAML page gives us no way to switch accounts.
Since I am god awful at explanations, here is a link to someone else having pretty much the same issue but with Pulse instead of Cisco AnyConnect:
I have tried clearing cache/cookies/browser settings on all browsers on the user's machine and the issue persists. It seems that the embedded AnyConnect browser operates on its own rules for some reason.
I reached out to Cisco TAC and they suggested the force re-authentication command on our Cisco ASA's SAML configuration, but that will require all our users to authenticate on every login attempt, not just the vendors. I asked if there was any way to get AnyConnect to open a default browser session rather than an embedded browser session, but that does not currently exist and would have to be an enhancement request.
Our sysadmin folks call it a limitation on the AnyConnect app, and Cisco TAC calls it a limitation on the Azure page. Truthfully, it seems to be a limitation on both, which leaves me stuck somewhere in the middle on this one.
How can I get this user--or any contractors who already have O365 accounts with their companies--logged in?
No comments:
Post a Comment