Cisco PIX 500 Series Configuration Manual page 769
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Chapter 37
Configuring Clientless SSL VPN
Detailed Tasks: Configuring SSO with
This section presents specific steps for configuring the security appliance to support SSO authentication
with SAML Post Profile. To configure SSO with SAML-V1.1-POST, perform the following steps:
In webvpn configuration mode, enter the sso-server command with the type option to create an SSO
Step 1
server. For example, to create an SSO server named Sample of type SAML-V1.1-POST, enter the
following:
hostname(config)# webvpn
hostname(config-webvpn)# sso-server sample type SAML-V1.1-post
hostname(config-webvpn-sso-saml)#
The security appliance currently supports only the Browser Post Profile type of SAML SSO Server.
Note
Enter the assertion-consumer-url command in webvpn-sso-saml configuration mode to specify the
Step 2
authentication URL of the SSO server. For example, to send authentication requests to the URL
http://www.Example.com/webvpn, enter the following:
hostname(config-webvpn-sso-saml)# assertion-consumer-url http://www.sample.com/webvpn
hostname(config-webvpn-sso-saml)#
Step 3
Specify a unique string that identifies the security appliance itself when it generates assertions.
Typically, this issuer name is the hostname for the security appliance as follows:
hostname(config-webvpn-sso-saml)# issuer myasa
hostname(config-webvpn-sso-saml)#
Specify the identification certificate for signing the assertion with the trust-point command. An
Step 4
example follows:
hostname(config)# tunnel-group 209.165.200.225 type IPSec_L2L
hostname(config)# tunnel-group 209.165.200.225 ipsec-attributes
hostname(config-tunnel-ipsec)# trust-point mytrustpoint
Optionally, you can configure the number of seconds before a failed SSO authentication attempt times
out using the request-timeout command in webvpn-sso-saml configuration mode. The default number
of seconds is 5 seconds and the possible range is 1 to 30 seconds. To change the number of seconds
before a request times out to 8, for example, enter the following:
hostname(config-webvpn-sso-saml)# request-timeout 8
hostname(config-webvpn-sso-saml)#
Optionally, you can configure the number of times the security appliance retries a failed SSO
Step 5
authentication attempt before the authentication times-out using the max-retry-attempts command in
webvpn-sso-saml configuration mode. The default is 3 retry attempts and the possible range is 1 to 5
attempts. To configure the number of retries to be 4, for example, enter the following:
hostname(config-webvpn-sso-saml)# max-retry-attempts 4
hostname(config-webvpn-sso-saml)#
After you configure the SSO server, you must specify SSO authentication for either a group or user. To
Step 6
specify SSO for a group, assign an SSO server to a group policy using the sso-server value command
in group-policy-webvpn configuration mode. To specify SSO for a user, assign an SSO server to a user
policy using the same command, sso-server value, but in username-webvpn configuration mode. For
example, to assign the SSO server named Example to the user named Anyuser, enter the following:
hostname(config)# username Anyuser attributes
hostname(config-username)# webvpn
OL-12172-03
SAML Post Profile
Cisco Security Appliance Command Line Configuration Guide
Getting Started
37-13
Advertisement
Table of Contents
Troubleshooting
