Integration Guide for Cisco AnyConnect Client & Cisco ASA VPN Server

  • Updated on Feb 10, 2026
  • Published on Nov 4, 2025
  • 1 minute(s) read
Prev Next

Introduction

This guide provides information on how to set up Cisco ASA using Cisco Anyconnect VPN Client for direct SAML integration with Beyond Identity.



Pre-requisites:

  • Cisco ASA running 9.8 code train or higher.

  • VPN Client running version 4.6+.

  • Cisco ASA network admin account.

  • Cisco ASA GUI access via ASDM and CLI access via SSH.

  • Beyond Identity Admin Console access.  

User Experience Demo:

https://drive.google.com/file/d/1ozfRRtdvK3rbiDQOkDfLtJ5hxsk1sqSl/view?usp=sharing

Step 1: Configure SAML Integration on Beyond Identity Admin Console:

  1. Login to the BI Admin console and navigate to Integrations > SAML > Add SAML connection.

  2. Fill in the below details as shown and hit SAVE CHANGES

  1. Note down the IdP SSO URL, IdP Issuer URL and download the Certificate file.  


Step 2: Configure Cisco ASA:

  1. On Cisco ASA CLI create a Trustpoint and import the Beyond Identity SAML cert from previous Step.

config t

crypto ca trustpoint BeyondIdentity-SAML

  revocation-check none

  no id-usage

  enrollment terminal

  no ca-check

  exit

crypto ca authenticate BeyondIdentity-SAML

-----BEGIN CERTIFICATE-----

PEM Certificate Text from download goes here

-----END CERTIFICATE-----

quit

  1. Use the following commands to setup Beyond Identity as the SAML IdP on Cisco ASA

webvpn

saml idp <IdP Issuer URL ending in metadata.xml>

url sign-in <IdP SSO URL ending in /SSO>

url sign-out https://www.beyondidentity.com

trustpoint idp BeyondIdentity-SAML

trustpoint sp <SP Trustpoint>

no force re-authentication

no signature

base-url https://my.asa.com

  1. Use the following commands to setup tunnel-group

tunnel-group BeyondIdentity-AC-SAML type remote-access

tunnel-group BeyondIdentity-AC-SAML webvpn-attributes

authentication saml

group-alias BeyondIdentity enable

saml identity-provider <IdP Issuer URL ending in metadata.xml>

saml idp-trustpoint BeyondIdentity-SAML



Step 3: Complete SAML Integration on Beyond Identity Admin Console:

  1. Login to the BI Admin console and navigate to Integrations > SAML > Add SAML connection.

  2. Fill in the below details as shown in the example below and hit SAVE CHANGES

Name: Cisco ASA

SP Single Sign On URL: https://asa.azure-hybrid.us/+CSCOE+/saml/sp/acs?tgname=BeyondIdentity-AC-SAML

SP Audience URI: https://asa.azure-hybrid.us/saml/sp/metadata/BeyondIdentity-AC-SAML

Name ID Format:emailAddress

Subject User Attribute: UserName

Related articles

Copyright © 2026 Beyond Identity™. All Rights Reserved.