74-20
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter74 Configuring Clientless SSL VPN
Using Single Sign-on with Clientless SSL VPN
Subject Name format is uid=<user>
Configuring SSO with the HTTP Form Protocol
This section describes using the HTTP Form protocol for SSO. HTTP Form protocol is an approach to SSO authentication that
can also qualify as a AAA method. It provides a secure method for exchanging authentication information between users of
clientless SSL VPN and authenticating web servers. You can use it in conjunction with other AAA servers such as RADIUS or
LDAP servers.Prerequisites
To configure SSO with the HTTP protocol correctly, you must have a thorough working knowledge of
authentication and HTTP protocol exchanges.
Restrictions
As a common protocol, it is applicable only when the following conditions are met for the web server
application used for authentication:
The web form must not have dynamic parameters that are relevant for authentication (such as
parameters set by JavaScript or unique for each request).
The authentication cookie must be set for successful request and not set for unauthorized logons. In
this case, ASA cannot distinguish successful from failed authentication.
Detailed Steps
The ASA again serves as a proxy for users of clientless SSL VPN to an authenticating web server but,
in this case, it uses HTTP Form protocol and the POST method for requests. You must configure the ASA
to send and receive form data. Figure74-4 illustrates the following SSO authentication steps:
Step1 A user of clientless SSL VPN first enters a username and password to log into the clientless SSL VPN
server on the ASA.
Step2 The clientless SSL VPN server acts as a proxy for the user and forwards the form data (username and
password) to an authenticating web server using a POST authentication request.
Step3 If the authenticating web server approves the user data, it returns an authentication cookie to the
clientless SSL VPN server where it is stored on behalf of the user.
Step4 The clientless SSL VPN server establishes a tunnel to the user.
Step5 The user can now access other websites within the protected SSO environment without reentering a
username and password.