74-28
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter74 Configuring Clientless SSL VPN
Using Single Sign-on with Clientless SSL VPN
Configuring SSO for Plug-ins
Plug-ins support single sign-on (SSO). They use the same credentials (username and password) entered
to authenticate the clientless SSL VPN session. Because the plug-ins do not support macro substitution,
you do not have the option to perform SSO on different fields, such as the internal domain password or
the attribute on a RADIUS or LDAP server.
To configure SSO support for a plug-in, you install the plug-in and add a bookmark entry to display a
link to the server, specifying SSO support using the csco_sso=1 parameter. The following examples
show plug-in bookmarks enabled for SSO:
ssh://ssh-server/?cisco_sso=1
rdp://rdp-server/?Parameter1=value&Parameter2=value&csco_sso=1
Configuring SSO with Macro Substitution
This section describes using macro substitution for SSO. Configuring SSO with macro substitution
allows for you to inject certain variables into bookmarks to substitute for dynamic values.
Note Smart tunnel bookmarks support auto-signon but not variable substitution. For example, a SharePoint
bookmark configured for smart tunnel uses the same username and password credentials to log into the
application as the credentials used to log into clientless SSL VPN. You can use variable substitutions
and auto signon simultaneously or separately.
You can now use bookmarks with macro substitutions for auto sign-on on some web pages. The former
POST plug-in approach was created so that administrators could specify a POST bookmark with sign-on
macros and receive a kick-off page to load prior to posting the POST request. This POST plug-in
approach eliminated those requests that required the presence of cookies or other header items. Now an
an administrator determines the pre-load page and URL, which specifies where you want the post login
request sent. A pre-load page enables an endpoint browser to fetch certain information that is sent along
to the webserver or web application rather than just using a POST request with credentials.
The following variables (or macros) allow for substitutions in bookmarks and forms-based HTTP POST
operations:
CSCO_WEBVPN_USERNAME — user login ID
CSCO_WEBVPN_PASSWORD — user login password
CSCO_WEBVPN_INTERNAL_PASSWORD — user internal (or domain) password. This cached
credential is not authenticated against a AAA server. When you enter this value, the security
appliance uses it as the password for auto signon, instead of the password/primary password value.
Note You cannot use any of these three variables in GET-based http(s) bookmarks. Only
POST-based http(s) and cifs bookmarks can use these variables.
CSCO_WEBVPN_CONNECTION_PROFILE —user login group drop-down (connection profile
alias)
CSCO_WEBVPN_MACRO1 — set with the RADIUS-LDAP Vendor Specific Attribute (VSA). If
you are mapping from LDAP with an ldap-attribute-map command, use the
WebVPN-Macro-Substitution-Value1 Cisco attribute for this macro. See the Active Directory
ldap-attribute-mapping examples at
http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/ref_extserver.html#wp1572118.