Configuring Sso With The Http Form Protocol - Cisco PIX 500 Series Configuration Manual

Getting Started
hostname(config-username-webvpn)# sso-server value sample
hostname(config-username-webvpn)#
Step 7 Finally, you can test the SSO server configuration using the test sso-server command in privileged
EXEC mode. For example, to test the SSO server, Example using the username Anyuser, enter:
hostname# test sso-server Example username Anyuser
INFO: Attempting authentication request to sso-server sample for user Anyuser
INFO: STATUS: Success
SSO Server Configuration
Use the SAML server documentation provided by the server software vendor to configure the SAML
server in Relying Party mode.The following steps list the specific parameters required to configure the
SAML Server for Browser Post Profile:
Step 1 Configure the SAML server parameters to represent the asserting party (the security appliance):
•
•
•
Configure certificates.
Step 2
Specify that asserting party assertions must be signed.
Step 3
Select how the SAML server identifies the user:
Step 4
•
•

Configuring SSO with the HTTP Form Protocol

This section describes using the HTTP Form protocol for SSO. HTTP Form protocol is a common
approach to SSO authentication that can also qualify as a AAA method. It provides a secure method for
exchanging authentication information between users of clientless SSL VPN and authenticating web
servers. As a common protocol, it is highly compatible with web servers and web-based SSO products,
and you can use it in conjunction with other AAA servers such as RADIUS or LDAP servers.
Note To configure SSO with the HTTP protocol correctly, you must have a thorough working knowledge of
authentication and HTTP protocol exchanges.
The security appliance again serves as a proxy for users of clientless SSL VPN to an authenticating web
server but, in this case, it uses HTTP Form protocol and the POST method for requests. You must
configure the security appliance to send and receive form data.
authentication steps:
1.
2.
Cisco Security Appliance Command Line Configuration Guide
37-14
Recipient consumer url (same as the assertion consumer url configured on the ASA)
Issuer ID, a string, usually the hostname of appliance
Profile type -Browser Post Profile
Subject Name Type is DN
Subject Name format is uid=<user>
A user of clientless SSL VPN first enters a username and password to log into the clientless SSL
VPN server on the security appliance.
The clientless SSL VPN server acts as a proxy for the user and forwards the form data (username
and password) to an authenticating web server using a POST authentication request.
Chapter 37 Configuring Clientless SSL VPN
Figure 37-2 illustrates the following SSO
OL-12172-03