Phase 6: Pilot Deployment

Phase 6: Pilot Deployment

Pilot Group

  • Select pilot group: IT security team (5-10 users)

  • Add pilot users to SG-VPN-Users in Entra

  • Verify pilot users have MFA enrolled (Authenticator/FIDO2)

  • Communicate: pilot start date, what to expect, who to contact

Dual-Path Configuration

During pilot, maintain both auth paths:

! Create a SEPARATE tunnel group for SAML pilot
! Keep existing Okta RADIUS tunnel group active

tunnel-group VPN-SAML-PILOT type remote-access
tunnel-group VPN-SAML-PILOT webvpn-attributes
 authentication saml
 saml identity-provider https://sts.windows.net/<tenant-id>/
 group-alias "VPN (New - Pilot)" enable

! Existing tunnel group untouched
tunnel-group VPN-OKTA type remote-access
tunnel-group VPN-OKTA webvpn-attributes
 authentication aaa
 group-alias "VPN" enable

  • Pilot users connect to "VPN (New - Pilot)"

  • All other users continue on existing "VPN" with Okta RADIUS

  • Zero impact to production during pilot

Pilot Success Criteria

  • All pilot users authenticate via Entra SAML successfully

  • MFA works consistently (no timeout/failure patterns)

  • VPN session attributes correct in ASA and ISE

  • No complaints about UX (login speed, browser behavior)

  • Rollback tested: pilot user switches back to Okta tunnel group

  • 5 business days with zero auth failures → proceed to production

Pilot Monitoring

  • Daily: check ISE live logs for pilot SAML auth failures

  • Daily: show vpn-sessiondb anyconnect | include SAML

  • Track: auth success rate, MFA completion time, user complaints