Summary: Cisco AnyConnect on FTD 7.x can authenticate VPN users against Entra ID using SAML 2.0. The FTD acts as the SAML Service Provider; Entra ID acts as the Identity Provider. Group membership claims in the SAML assertion drive Group Policy assignment, controlling split tunnelling and access.
AnyConnect → FTD (SP) → HTTP Redirect → Entra ID (IdP)
↓
User authenticates (+ MFA)
↓
AnyConnect ← FTD ← SAML Assertion (via ACS) ← Entra ID
↓
Extract claims, map Group Policy
↓
VPN session established
| Component | URL Format |
|---|---|
| SP Entity ID | https://<FTD-FQDN> |
| ACS URL | https://<FTD-FQDN>/+CSCOE+/saml/sp/acs?tgname=<tunnel-group> |
| SLO URL (optional) | https://<FTD-FQDN>/+CSCOE+/saml/sp/logout |
⚠️ ACS URL per Tunnel Group
The ACS URL is tunnel-group-specific — it includes?tgname=<tunnel-group-name>. If you have multiple Connection Profiles with SAML auth, each needs its own Entra ID Enterprise Application with the correct ACS URL.
Cisco AnyConnect VPN) and select Integrate any other application you don't find in the gallery| Field | Value |
|---|---|
| Identifier (Entity ID) | https://<FTD-FQDN> |
| Reply URL (ACS) | https://<FTD-FQDN>/+CSCOE+/saml/sp/acs?tgname=<tunnel-group> |
| Sign on URL | (leave blank) |
| Relay State | (leave blank) |
| Logout URL | https://<FTD-FQDN>/+CSCOE+/saml/sp/logout (optional) |
Under Attributes & Claims, add a Group claim:
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsDownload the Certificate (Base64) from the SAML Signing Certificate section — this is needed for FMC.
Note the Login URL and Entra ID Identifier (issuer) from the SAML configuration summary pane.
Under Users and Groups, assign the Entra ID groups that should have VPN access. Only assigned users/groups can authenticate against this application.
Objects → Identity Sources → Add → SAML Server
| Field | Value |
|---|---|
| Name | Descriptive name, e.g., EntraID-AnyConnect |
| Identity Provider Entity ID | Entra ID Identifier (Issuer) from the SAML setup pane |
| SSO URL | Login URL from the SAML setup pane |
| Logout URL | Logout URL (optional) |
| IdP Certificate | Upload the Base64 certificate downloaded from Entra ID |
| SP Entity ID | https://<FTD-FQDN> |
| Request Timeout | 300 seconds (default) |
Leave Sign Authentication Request disabled unless Entra ID is configured to require signed requests (requires uploading the FTD SP signing certificate to Entra ID).
Create one Group Policy per user group. This is where split tunnelling is configured.
Devices → VPN → Group Policies → Add Group Policy
For each group policy, configure the Split Tunneling tab:
| Option | Use Case |
|---|---|
| Tunnel All Networks | All traffic goes through VPN (full tunnel) |
| Tunnel Networks Specified Below | Only listed networks go through VPN (split tunnel include) |
| Exclude Networks Listed Below | All traffic tunnelled except listed networks (split tunnel exclude) |
Example split tunnel include configuration (Devices → VPN → Group Policy → Split Tunneling):
Split Tunneling Policy : Tunnel Networks Specified Below
IPv4 Split Tunnel Networks :
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
⚠️ DNS with Split Tunnelling
When using split tunnelling, configure the VPN DNS domain in the Group Policy (General tab → DNS Servers / Default Domain) so that internal FQDNs resolve correctly. Without this, split tunnel clients may resolve internal names via their local ISP DNS.
Devices → VPN → Remote Access → Add Policy
On the Connection Profile tab:
| Field | Value |
|---|---|
| Name | Match the tgname used in the ACS URL exactly |
| Authentication Method | SAML |
| SAML Server | Select the IdP object created in Step 1 |
| Default Group Policy | Assign a fallback Group Policy for users not matched by DAP |
FTD uses Dynamic Access Policy (DAP) to match SAML attributes from the assertion and assign the correct Group Policy.
When the SAML assertion arrives, FTD parses it and populates DAP attribute variables. The relevant attribute for Entra ID group membership is:
SAML attribute: http://schemas.microsoft.com/ws/2008/06/identity/claims/groups
Value: <Entra ID Group Object ID GUID>
DAP rules evaluate these attributes and can assign a Group Policy, a bookmark list, or an ACL.
Devices → Dynamic Access Policies → Add DAP Record
| Field | Value |
|---|---|
| Name | Descriptive name, e.g., DAP-Corp-Users |
| Priority | Lower number = higher priority (evaluated top-down) |
| Field | Value |
|---|---|
| Attribute Type | SAML |
| Attribute Name | http://schemas.microsoft.com/ws/2008/06/identity/claims/groups |
| Value | Object ID GUID of the Entra ID group |
| Field | Value |
|---|---|
| VPN Tunnel Protocol | SSL Client |
| Group Policy | Select the Group Policy to apply for this group |
| Field | Value |
|---|---|
| Action | Terminate (deny VPN access) or apply a minimal Group Policy |
⚠️ Group Object IDs
Entra ID sends group Object IDs (GUIDs), not group display names, in the groups claim. Retrieve Object IDs from Entra ID → Groups → select group → Overview → Object ID. DAP rules must match these exact GUIDs.
After a test login, check FTD syslogs or the FMC event viewer for DAP evaluation results:
%ASA-6-734001: DAP: User <username>, Addr <ip>, Connection AnyConnect:
Checked 3 DAP records.
Selected DAP records: DAP-Corp-Users
Group Policy applied: GP-Corp-Users
If no DAP record matches, the session falls through to the Connection Profile's Default Group Policy.
On the FTD (via SSH or FMC CLI), enable SAML debug logging for a test login:
debug webvpn saml 255
This shows the full SAML assertion, the extracted attributes, and whether the ACS URL processing succeeded.
| Test | Expected Result |
|---|---|
| AnyConnect connects and redirects to Entra ID login page | SAML redirect working |
| After Entra ID auth, VPN session establishes | Assertion accepted, SP processing OK |
show vpn-sessiondb anyconnect — Group Policy column |
Shows correct group policy for the user |
show vpn-sessiondb anyconnect detail filter name <user> |
Shows split tunnel ACL / networks |
| User in Group A gets split tunnel; user in Group B gets full tunnel | DAP group mapping working |
show vpn-sessiondb anyconnect
show vpn-sessiondb anyconnect detail filter name <username>
show dapdebug
| Component | Location | Purpose |
|---|---|---|
| Enterprise Application (SAML) | Entra ID | Defines FTD as SP, issues group claims |
| Group claim in Attributes & Claims | Entra ID | Includes group Object IDs in assertion |
| SAML Identity Provider object | FMC → Objects → Identity Sources | Configures IdP details and certificate |
| Group Policy objects | FMC → Devices → VPN → Group Policies | Defines split tunnelling and access per group |
| Connection Profile | FMC → Devices → VPN → Remote Access | Sets SAML auth, links IdP object |
| Dynamic Access Policy records | FMC → Devices → DAP | Maps group GUIDs to Group Policies |