72-16
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 72 Configuring Clientless SSL VPN
Configuring Application Helper
Step 2 Configure certificates.
Step 3 Specify that asserting party assertions must be signed.
Step 4 Select how the SAML server identifies the user:
• Subject Name Type is DN
• Subject Name format is uid=<user>
Configuring SSO with the HTTP Form Protocol
This section describes using the HTTP Form protocol for SSO. HTTP Form protocol is an approach to
SSO authentication that can also qualify as a AAA method. It provides a secure method for exchanging
authentication information between users of clientless SSL VPN and authenticating web servers. You
can use it in conjunction with other AAA servers such as RADIUS or LDAP servers.
Prerequisites
To configure SSO with the HTTP protocol correctly, you must have a thorough working knowledge of
authentication and HTTP protocol exchanges.
Restrictions
As a common protocol, it is applicable only when the following conditions are met for the web server
application used for authentication:
• The web form must not have dynamic parameters that are relevant for authentication (such as
parameters set by JavaScript or unique for each request).
• The authentication cookie must be set for successful request and not set for unauthorized logons. In
this case, ASA cannot distinguish successful from failed authentication.
Detailed Steps
The ASA again serves as a proxy for users of clientless SSL VPN to an authenticating web server but,
in this case, it uses HTTP Form protocol and the POST method for requests. You must configure the ASA
to send and receive form data. Figure 72-3 illustrates the following SSO authentication steps:
Step 1 A user of clientless SSL VPN first enters a username and password to log into the clientless SSL VPN
server on the ASA.
Step 2 The clientless SSL VPN server acts as a proxy for the user and forwards the form data (username and
password) to an authenticating web server using a POST authentication request.
Step 3 If the authenticating web server approves the user data, it returns an authentication cookie to the
clientless SSL VPN server where it is stored on behalf of the user.
Step 4 The clientless SSL VPN server establishes a tunnel to the user.
Step 5 The user can now access other websites within the protected SSO environment without reentering a
username and password.