74-18
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter74 Configuring Clientless SSL VPN
Using Single Sign-on with Clientless SSL VPN
Optionally, in addition to these required tasks, you can do the following configuration tasks:
Configure the authentication request timeout (the request-timeout command)
Configure the number of authentication request retries (the max-retry-attempts command)
Restrictions
SAML SSO is supported only for clientless SSL VPN sessions.
The ASA currently supports only the Browser Post Profile type of SAML SSO Server.
The SAML Browser Artifact method of exchanging assertions is not supported.
Detailed Steps
This section presents specific steps for configuring the ASA to support SSO authentication with SAML
Post Profile. To configure SSO with SAML-V1.1-POST, perform the following steps:
Command Purpose
Step1 webvpn Switches to webvpn configuration mode.
Step2 sso-server with the type option
Example:
hostname(config)# webvpn
hostname(config-webvpn)# sso-server sample type
SAML-V1.1-post
hostname(config-webvpn-sso-saml)#
Creates an SSO server.
Creates an SSO server named Sample of type
SAML-V1.1-POST.
Step3 sso saml Switches to webvpn-sso-saml configuration mode.
Step4 assertion-consumer-url
Example:
hostname(config-webvpn-sso-saml)#
assertion-consumer-url http://www.sample.com/webvpn
hostname(config-webvpn-sso-saml)#
Specifies the authentication URL of the SSO server.
Sends authentication requests to the URL
http://www.Example.com/webvpn.
Step5 a unique string
Example:
hostname(config-webvpn-sso-saml)# issuer myasa
hostname(config-webvpn-sso-saml)#
Identifies the ASA itself when it generates
assertions. Typically, this issuer name is the
hostname for the ASA.
Step6 trust-point
hostname(config-webvpn-sso-saml)# trust-point
mytrustpoint
Specifies the identification certificate for signing the
assertion.
Step7 (Optional)
request-timeout
Example:
hostname(config-webvpn-sso-saml)# request-timeout 8
hostname(config-webvpn-sso-saml)#
Configures the number of seconds before a failed
SSO authentication attempt times out.
Sets the number of seconds before a request times
out to 8. The default number of seconds is 5, and the
possible range is 1 to 30 seconds.