74-13
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter74 Configuring Clientless SSL VPN
Using Single Sign-on with Clientless SSL VPN
Detailed Steps
Note This command does not change the number of days before the password expires, but rather, the
number of days ahead of expiration that the ASA starts warning the user that the password is
about to expire.
Using Single Sign-on with Clientless SSL VPN
Single sign-on support lets users of clientless SSL VPN enter a username and password only once to
access multiple protected services and web servers. In general, the SSO mechanism either starts as part
of the AAA process or just after successful user authentication to a AAA server. The clientless SSL VPN
server running on the ASA acts as a proxy for the user to the authenticating server. When a user logs in,
the clientless SSL VPN server sends an SSO authentication request, including username and password,
to the authenticating server using HTTPS. If the server approves the authentication request, it returns an
SSO authentication cookie to the clientless SSL VPN server. The ASA keeps this cookie on behalf of
the user and uses it to authenticate the user to secure websites within the domain protected by the SSO
server.
This section describes the three SSO authentication methods supported by clientless SSL VPN: HTTP
Basic and NTLMv1 (NT LAN Manager) authentication, the Computer Associates eTrust SiteMinder
SSO server (formerly Netegrity SiteMinder), and Version 1.1 of Security Assertion Markup Language
(SAML), the POST-type SSO server authentication.
This section includes:
Configuring SSO with HTTP Basic or NTLM Authentication, page74-14
Configuring SSO Authentication Using SiteMinder, page74-15
Configuring SSO Authentication Using SAML Browser Post Profile, page74-17
Configuring SSO with the HTTP Form Protocol, page74-20
Command Purpose
Step1 tunnel-group general-attributes Switches to general-attributes mode.
Step2 password-management Notifies remote users that their password is about to
expire.
Step3 password-expire-in-days Specifies when the password expires.
Step4 Enter number of days
Example:
hostname(config)# tunnel-group testgroup type webvpn
hostname(config)# tunnel-group testgroup
general-attributes
hostname(config-general)# password-management
password-expire-in-days 90
If you specify the keyword, you must also specify
the number of days. If you set the number of days to
0, this command is disabled.
Note The ASA does not notify the user of the
pending expiration, but the user can change
the password after it expires.
Sets the days before password expiration to begin
warning the user of the pending expiration to 90 for
the connection profile “testgroup.”