Cisco Systems OL-16647-01 Configuring SiteMinder and SAML Browser Post Profile

38-30

Cisco ASDM User Guide

OL-16647-01

Chapter 38 Clientless SSL VPN

SSO Servers

• To configure SSO with the HTTP Form protocol, see Configuring Session Settings.

The SSO mechanism either starts as part of the AAA process (HTTP Forms) or just after successful user

authentication to either a AAA server (SiteMinder) or a SAML Browser Post Profile server. In these

cases, the Clientless SSL VPN server running on the security appliance acts as a proxy for the user to

the authenticating server. When a user logs in, the Clientless SSL VPN server sends an SSO

authentication request, including username and password, to the authenticating server using HTTPS.

If the authenticating server approves the authentication request, it returns an SSO authentication cookie

to the Clientless SSL VPN server. This cookie is kept on the security appliance on behalf of the user and

used to authenticate the user to secure websites within the domain protected by the SSO server.

Configuring SiteMinder and SAML Browser Post Profile

SSO authentication with SiteMinder or with SAML Browser Post Profile is separate from AAA and

occurs after the AAA process completes. To set up SiteMinder SSO for a user or group, you must first

configure a AAA server (RADIUS, LDAP and so forth). After the AAA server authenticates the user,

the Clientless SSL VPN server uses HTTPS to send an authentication request to the SiteMinder SSO

server.

In addition to configuring the security appliance, for SiteMinder SSO, you also must configure your CA

SiteMinder Policy Server with the Cisco authentication scheme. See Adding the Cisco Authentication

Scheme to SiteMinder.

For SAML Browser Post Profile you must configure a Web Agent (Protected Resource URL) for

authentication. For the specifics of setting up a SAML Browser Post Profile SSO server, see SAML

POST SSO Server Configuration.

Fields

• Server Name—Display only. Displays the names of configured SSO Servers. The minimum number

of characters is 4, and the maximum is 31.

• Authentication Type—Display only. Displays the type of SSO server. The security appliance

currently supports the SiteMinder type and the SAML Browser Post Profile type.

• URL—Display only. Displays the SSO server URL to which the security appliance makes SSO

authentication requests.

• Secret Key—Display only. Displays the secret key used to encrypt authentication communications

with the SSO server. The key can be comprised of any regular or shifted alphanumeric character.

There is no minimum or maximum number of characters.

• Maximum Retries—Display only. Displays the number of times the security appliance retries a

failed SSO authentication attempt. The range is 1 to 5 retries, and the default number of retries is 3.

• Request Timeout (seconds)—Display only. Displays the number of seconds before a failed SSO

authentication attempt times out. The range is 1 to 30 seconds, and the default number of seconds is

• Add/Edit—Opens the Add/Edit SSO Server dialog box.

• Delete—Deletes the selected SSO server.

Modes

The following table shows the modes in which this feature is available: