74-17
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter74 Configuring Clientless SSL VPN
Using Single Sign-on with Clientless SSL VPN
Detailed Steps
This section presents general tasks, not a complete procedure. To configure the Cisco authentication
scheme on your SiteMinder Policy Server, perform the following steps:
Step1 With the SiteMinder Administration utility, create a custom authentication scheme, being sure to use the
following specific arguments:
In the Library field, enter smjavaapi.
In the Secret field, enter the same secret configured on the ASA.
You configure the secret on the ASA using the policy-server-secret command at the command line
interface.
In the Parameter field, enter CiscoAuthApi.
Step2 Using your Cisco.com login, download the file cisco_vpn_auth.jar from
http://www.cisco.com/cisco/software/navigator.html and copy it to the default library directory for the
SiteMinder server. This .jar file is also available on the Cisco ASA CD.
Configuring SSO Authentication Using SAML Browser Post Profile
This section describes configuring the ASA to support Security Assertion Markup Language (SAML),
Version 1.1 POST profile Single Sign-On (SSO) for authorized users.
After a session is initiated, the ASA authenticates the user against a configured AAA method. Next, the
ASA (the asserting party) generates an assertion to the relying party, the consumer URL service provided
by the SAML server. If the SAML exchange succeeds, the user is allowed access to the protected
resource. Figure 74-3 shows the communication flow:
Figure74-3 SAML Communication Flow
Prerequisites
To configure SSO with an SAML Browser Post Profile, you must perform the following tasks:
Specify the SSO server with the sso-server command.
Specify the URL of the SSO server for authentication requests (the assertion-consumer-url
command)
Specify the ASA hostname as the component issuing the authentication request (the issuer
command)
Specify the trustpoint certificates use for signing SAML Post Profile assertions (the trustpoint
command)
250105
User
Browser
User Login
Access to
Applications
Security
Applications
SAML SSO
Assertion
Redirection to
Applications
Portal (with
cookie)
SAML
Server
Protected
Resource
URL
(Web Agent)