Phase 4: AnyConnect Client Configuration

SAML Browser Requirement

SAML authentication requires a web browser for the IdP redirect. AnyConnect supports two modes:

Mode How When

Mode	How	When
Embedded browser	AnyConnect 4.6+ built-in browser handles SAML redirect internally	Preferred — seamless UX, no external browser needed
External browser	AnyConnect opens system default browser for SAML	Fallback for older clients or SSO/cookie requirements
VPN-only (no browser)	ASA 9.17+ allows `saml external-browser` with token passback	Headless/kiosk scenarios

Embedded browser

AnyConnect 4.6+ built-in browser handles SAML redirect internally

Preferred — seamless UX, no external browser needed

External browser

AnyConnect opens system default browser for SAML

Fallback for older clients or SSO/cookie requirements

VPN-only (no browser)

ASA 9.17+ allows saml external-browser with token passback

Headless/kiosk scenarios

Minimum Version Audit

Verify AnyConnect >= 4.6 across all VPN clients
Identify clients below 4.6 — these need upgrade before cutover
Plan AnyConnect upgrade push if needed (SCCM/Intune/manual)

Connection Profile

The AnyConnect XML profile may need updates if the connection entry changes.

Verify current profile

! On ASA
show webvpn anyconnect
show running-config webvpn | include anyconnect

! Client-side (Windows)
type "%APPDATA%\Cisco\Cisco AnyConnect Secure Mobility Client\profile\*.xml"

! Client-side (macOS/Linux)
cat /opt/cisco/anyconnect/profile/*.xml

Update connection profile XML if tunnel group name changes
Test embedded browser SAML flow with Entra login page
Verify MFA prompt appears (Authenticator push / FIDO2 / SMS)
Test SSO behavior — does AnyConnect cache the SAML session cookie?

User Communication

Draft user notification: "VPN login is changing — you’ll see a Microsoft login page instead of Okta"
Include: MFA enrollment instructions for Microsoft Authenticator
Include: AnyConnect upgrade instructions if needed
Timeline: notify 1 week before pilot, 2 weeks before production cutover