Cisco ASA 5505 User Manual

Page 1604

Advertising

74-18

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 74 Configuring Clientless SSL VPN

Using Single Sign-on with Clientless SSL VPN

Optionally, in addition to these required tasks, you can do the following configuration tasks:

•

Configure the authentication request timeout (the request-timeout command)

•

Configure the number of authentication request retries (the max-retry-attempts command)

Restrictions

•

SAML SSO is supported only for clientless SSL VPN sessions.

•

The ASA currently supports only the Browser Post Profile type of SAML SSO Server.

•

The SAML Browser Artifact method of exchanging assertions is not supported.

Detailed Steps

This section presents specific steps for configuring the ASA to support SSO authentication with SAML
Post Profile. To configure SSO with SAML-V1.1-POST, perform the following steps:

Command

Purpose

Step 1

webvpn

Switches to webvpn configuration mode.

Step 2

sso-server

with the type option

Example:

hostname(config)# webvpn

hostname(config-webvpn)# sso-server sample type

SAML-V1.1-post

hostname(config-webvpn-sso-saml)#

Creates an SSO server.

Creates an SSO server named Sample of type
SAML-V1.1-POST.

Step 3

sso saml

Switches to webvpn-sso-saml configuration mode.

Step 4

assertion-consumer-url

Example:

hostname(config-webvpn-sso-saml)#

assertion-consumer-url http://www.sample.com/webvpn

hostname(config-webvpn-sso-saml)#

Specifies the authentication URL of the SSO server.

Sends authentication requests to the URL
http://www.Example.com/webvpn.

Step 5

a unique string

Example:

hostname(config-webvpn-sso-saml)# issuer myasa

hostname(config-webvpn-sso-saml)#

Identifies the ASA itself when it generates
assertions. Typically, this issuer name is the
hostname for the ASA.

Step 6

trust-point

hostname(config-webvpn-sso-saml)# trust-point

mytrustpoint

Specifies the identification certificate for signing the
assertion.

Step 7

(Optional)

request-timeout

Example:

hostname(config-webvpn-sso-saml)# request-timeout 8

hostname(config-webvpn-sso-saml)#

Configures the number of seconds before a failed
SSO authentication attempt times out.

Sets the number of seconds before a request times
out to 8. The default number of seconds is 5, and the
possible range is 1 to 30 seconds.

Advertising

This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands

Popular manuals