Initial testing of SAML for Remote Access VPN was positive, but a few notes for those doing the testing:
1) Read through the release notes, there are critical steps about manual edits using GUIDBedit and a script that has to be run on the management server. I believe the script updates some policy validation settings that otherwise cause the policy to fail validation with a complaint about not being able to have multiple login options if one of them is an Identity Provider.
2) The embedded browser does not support FIDO2/WebAuthN if you are using Okta as your SAML provider. This is likely something that Okta has to address because they don't support either with native Safari on Mac, either. This limits the usefulness of this over native RADIUS auth if you were looking to get FIDO2/WebAuthN support for more modern MFA factors.
3) The current VPN client version is E85.30, but the recommended is still E84.30. The solution requires E84.70 at a minimum. So depending on how you handle client upgrades, this may be a challenge.
So, @PhoneBoy , @Paul_Hagyard a few questions:
1) When do you expect the manual steps involving GUIDBedit and the script will no longer be required?
2) Any plans to support other browsers for the SAML flow? Chrome, Firefox, Edge.? I ask because the embedded browser isn't fully supported by Okta (see above) and some users prefer other browsers (as well as corporate standards.
I also assume that by IE, you mean the system browser (Edge, now) and not the literal IE (11) which is deprecated.
UPDATED: So, after testing this, I can state that by IE, they mean the literal IE (10 or 11). So if you have removed IE from Windows in exchange for Edge Chromium (because even Microsoft is pushing for users to move from IE11 to Edge Chromium), then the SAML flows will NOT work. The embedded browser does not appear to support WebAuthN (at least not with Okta), so support for U2F or biometrics is not going to be possible.