Configuring sso with the http form protocol – Cisco ASA 5505 User Manual

Page 1606

Advertising
background image

74-20

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 74 Configuring Clientless SSL VPN

Using Single Sign-on with Clientless SSL VPN

Subject Name format is uid=<user>

Configuring SSO with the HTTP Form Protocol

This section describes using the HTTP Form protocol for SSO. HTTP Form protocol is an approach to SSO authentication that
can also qualify as a AAA method. It provides a secure method for exchanging authentication information between users of
clientless SSL VPN and authenticating web servers. You can use it in conjunction with other AAA servers such as RADIUS or
LDAP servers.

Prerequisites

To configure SSO with the HTTP protocol correctly, you must have a thorough working knowledge of
authentication and HTTP protocol exchanges.

Restrictions

As a common protocol, it is applicable only when the following conditions are met for the web server
application used for authentication:

The web form must not have dynamic parameters that are relevant for authentication (such as
parameters set by JavaScript or unique for each request).

The authentication cookie must be set for successful request and not set for unauthorized logons. In
this case, ASA cannot distinguish successful from failed authentication.

Detailed Steps

The ASA again serves as a proxy for users of clientless SSL VPN to an authenticating web server but,
in this case, it uses HTTP Form protocol and the POST method for requests. You must configure the ASA
to send and receive form data.

Figure 74-4

illustrates the following SSO authentication steps:

Step 1

A user of clientless SSL VPN first enters a username and password to log into the clientless SSL VPN
server on the ASA.

Step 2

The clientless SSL VPN server acts as a proxy for the user and forwards the form data (username and
password) to an authenticating web server using a POST authentication request.

Step 3

If the authenticating web server approves the user data, it returns an authentication cookie to the
clientless SSL VPN server where it is stored on behalf of the user.

Step 4

The clientless SSL VPN server establishes a tunnel to the user.

Step 5

The user can now access other websites within the protected SSO environment without reentering a
username and password.

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals