Using Single Sign-On With Clientless Ssl Vpn; Configuring Sso With Http Basic Or Ntlm Authentication - Cisco PIX 500 Series Configuration Manual

Getting Started
Specifying this command with the number of days set to 0 disables this command. The security appliance
does not notify the user of the pending expiration, but the user can change the password after it expires
The following example sets the days before password expiration to begin warning the user of the pending
expiration to 90 for the connection profile "testgroup":
hostname(config)# tunnel-group testgroup type webvpn
hostname(config)# tunnel-group testgroup general-attributes
hostname(config-general)# password-management password-expire-in-days 90

Using Single Sign-on with Clientless SSL VPN

Single sign-on support lets users of clientless SSL VPN enter a username and password only once to
access multiple protected services and web servers. In general, the SSO mechanism either starts as part
of the AAA process or just after successful user authentication to a AAA server. The clientless SSL VPN
server running on the security appliance acts as a proxy for the user to the authenticating server. When
a user logs in, the clientless SSL VPN server sends an SSO authentication request, including username
and password, to the authenticating server using HTTPS. If the server approves the authentication
request, it returns an SSO authentication cookie to the clientless SSL VPN server. The security appliance
keeps this cookie on behalf of the user and uses it to authenticate the user to secure websites within the
domain protected by the SSO server.
This section describes the three SSO authentication methods supported by clientless SSL VPN: HTTP
Basic and NTLMv1 (NT LAN Manager) authentication, the Computer Associates eTrust SiteMinder
SSO server (formerly Netegrity SiteMinder), and Version 1.1 of Security Assertion Markup Language
(SAML), the POST-type SSO server authentication.
This section includes:
•
•
•
•

Configuring SSO with HTTP Basic or NTLM Authentication

This section describes single sign-on with HTTP Basic or NTLM authentication. You can configure the
security appliance to implement SSO using either or both of these methods. The auto-signon command
configures the security appliance to automatically pass clientless SSL VPN user login credentials
(username and password) on to internal servers. You can enter multiple auto-signon commands. The
security appliance processes them according to the input order (early commands take precedence). You
specify the servers to receive the login credentials using either IP address and IP mask, or URI mask.
Use the auto-signon command in any of three modes: webvpn configuration, webvpn group-policy
mode, or webvpn username mode. Username supersedes group, and group supersedes global. The mode
you choose depends upon scope of authentication you want:
Mode
webvpn configuration
webvpn group-policy
configuration
webvpn username configuration An individual user of clientless SSL VPN
Cisco Security Appliance Command Line Configuration Guide
37-8
Configuring SSO with HTTP Basic or NTLM Authentication
Configuring SSO Authentication Using SiteMinder
Configuring SSO Authentication Using SAML Browser Post Profile
Configuring SSO with the HTTP Form Protocol
Scope
All clientless SSL VPN users globally
A subset of clientless SSL VPN users defined by a group policy
Chapter 37 Configuring Clientless SSL VPN
OL-12172-03