EOL for Duo LDAP solution for Cisco Anyconnect dynamic group policy selection

We currently use the Anyconnect LDAPS method as using that in conjunction with internal LDAP servers is the only solution that allows us to dynamically assign a group-policy to Anyconnect users based on their group membership. What is the DUO solution to this once LDAPS is EOL? Is there a SAML2 method that will allow us to select group-policy upon login?

I know ASA didn’t support DAP with SAML but it looks like it does in 9.19? https://www.cisco.com/c/en/us/td/docs/security/asa/asa919/asdm719/vpn/asdm-719-vpn-config/vpn-asdm-dap.pdf (page 31)

I think though, there is a wrinkle in that the current Duo SSO SAML application for ASA doesn’t send group (memberof) information today. The Generic Duo SSO SAML application does support sending role attributes as a service provider attribute. So, you should be able to federate the ASA with Duo SSO using the generic SAML app to specify the group attribute to use for DAP.

Feel free to contact Duo Support for assistance with deploying that generic SAML app with the ASA.

ETA: you can also continue using LDAP to AD for DAP if you switch to RADIUS auth for 2FA only (Duo RADIUS AAA as secondary) via the Authentication Proxy. Duo RADIUS Two-Factor Authentication with Password Reset for Cisco ASA SSL VPNs | Duo Security