Cisco ASA 5505 User Manual

Page 1603

Advertising
background image

74-17

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 74 Configuring Clientless SSL VPN

Using Single Sign-on with Clientless SSL VPN

Detailed Steps

This section presents general tasks, not a complete procedure. To configure the Cisco authentication
scheme on your SiteMinder Policy Server, perform the following steps:

Step 1

With the SiteMinder Administration utility, create a custom authentication scheme, being sure to use the
following specific arguments:

In the Library field, enter smjavaapi.

In the Secret field, enter the same secret configured on the ASA.

You configure the secret on the ASA using the policy-server-secret command at the command line
interface.

In the Parameter field, enter CiscoAuthApi.

Step 2

Using your Cisco.com login, download the file cisco_vpn_auth.jar from

http://www.cisco.com/cisco/software/navigator.html

and copy it to the default library directory for the

SiteMinder server. This .jar file is also available on the Cisco ASA CD.

Configuring SSO Authentication Using SAML Browser Post Profile

This section describes configuring the ASA to support Security Assertion Markup Language (SAML),
Version 1.1 POST profile Single Sign-On (SSO) for authorized users.

After a session is initiated, the ASA authenticates the user against a configured AAA method. Next, the
ASA (the asserting party) generates an assertion to the relying party, the consumer URL service provided
by the SAML server. If the SAML exchange succeeds, the user is allowed access to the protected
resource.

Figure 74-3

shows the communication flow:

Figure 74-3

SAML Communication Flow

Prerequisites

To configure SSO with an SAML Browser Post Profile, you must perform the following tasks:

Specify the SSO server with the sso-server command.

Specify the URL of the SSO server for authentication requests (the assertion-consumer-url
command)

Specify the ASA hostname as the component issuing the authentication request (the issuer
command)

Specify the trustpoint certificates use for signing SAML Post Profile assertions (the trustpoint
command)

250105

User

Browser

User Login

Access to

Applications

Security

Applications

SAML SSO

Assertion

Redirection to

Applications

Portal (with

cookie)

SAML

Server

Protected
Resource

URL

(Web Agent)

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals