74-21
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter74 Configuring Clientless SSL VPN
Using Single Sign-on with Clientless SSL VPN
Figure74-4 SSO Authentication Using HTTP Forms
While you would expect to configure form parameters that let the ASA include POST data such as the
username and password, you initially might not be aware of additional hidden parameters that the web
server requires. Some authentication applications expect hidden data which is neither visible to nor
entered by the user. You can, however, discover hidden parameters the authenticating web server expects
by making a direct authentication request to the web server from your browser without the ASA in the
middle acting as a proxy. Analyzing the web server response using an HTTP header analyzer reveals
hidden parameters in a format similar to the following:
<param name>=<URL encoded value>&<param name>=<URL encoded>
Some hidden parameters are mandatory and some are optional. If the web server requires data for a
hidden parameter, it rejects any authentication POST request that omits that data. Because a header
analyzer does not tell you if a hidden parameter is mandatory or not, we recommend that you include all
hidden parameters until you determine which are mandatory.
To configure SSO with the HTTP Form protocol, you must perform the following:
Configure the uniform resource identifier on the authenticating web server to receive and process
the form data (action-uri).
Configure the username parameter (user-parameter).
Configure the user password parameter (password-parameter).
You might also need to do the following tasks depending upon the requirements of authenticating web
server:
Configure a starting URL if the authenticating web server requires a pre-login cookie exchange
(start-url).
Configure any hidden authentication parameters required by the authenticating web server
(hidden-parameter).
Configure the name of an authentication cookie set by the authenticating web server
(auth-cookie-name).
148147
Web VPN
server
14553
2Auth Web
server
Other protected
web server
Tunnel