Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Single Sign on on Clientless SSL VPN

Hi Guys,

Anybody has a working template for clientless SSLVPN single sign on for a web application using http form?

Regards

7 REPLIES
New Member

Re: Single Sign on on Clientless SSL VPN

Yes, I have used HTTP form (with Post) as an authentication method for clientless webvpn and SSO.  There is no specific template for this, per say, as some of the options for your AAA config are application specific (ex action-uri and hidden-parameter).  My recommendation is to follow the following doc very closely.  It really does a good job of breaking down the steps to implementing it.

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/webvpn.html#wp1080368

Hope this helps.  Let me know if you have any specific questions.

Best,

Christopher

New Member

Re: Single Sign on on Clientless SSL VPN

Hi,

I'm following this document but I just need to understand a bit the concerpt, when I login using a username and password to the SSL porta, will this same username and password be used automatically for a configured web application( bookmark) for which authentication on the web application is mandatory!

SO I enter the username and password only once the first time?

Another thing concerning the aaa method should I bind it from the beginning for the usernam and password used for the SSL portal?

New Member

Re: Single Sign on on Clientless SSL VPN

Just to take a step back here to clarify, when you state: "Another thing concerning the aaa method should I bind it from the beginning for the usernam and password used for the SSL portal?"  What is the scope of your efforts with portal?  Is your intention to authenticate the user and dump them straight into the web app, or will there be other applications presented within the portal?  If you're looking to just take the user directly to the app after login, you could create a AAA group for the http-form (to auth against the web app) and tie it to your tunnel-group (connection profile).  Then, using either GP or customizations, you can skip the standard portal page and place the user right into the app.  You would just need to specify to do an HTTP POST to page using the webvpn credentials and map them to the values in the http parameters.

If your intention is for this app to be one of many in the portal, your options somewhat depend upon the authentication methods for both your tunnel-group as well as your web app.  If this is the case, let me know and we can expound on it further as there are different methods/variables involved here.

Does this help?

Thanks,

Christopher

New Member

Re: Single Sign on on Clientless SSL VPN

Hi

I'm glad I'm working from the first time with the right guy on netpro

My scenario is the below:

I have different web applications that will be posted on the portal and each has its own authentication schema.

so basically I need to go with the second option where I was thinking of a unified username and password across all web applications for a specified username and when connected to the SSL portal, he would chose one of the links but then he'll not to have to authenticate against the web application.

Can this be done? IF not what are my alternatives?

The web applications are a combination of IIS, webmails and apache

Regards

New Member

Re: Single Sign on on Clientless SSL VPN

Hi Christopher,

I'm demoing the below  at the customer site! do you have any updates?

Regards

New Member

Re: Single Sign on on Clientless SSL VPN

When you say each has its own authentication schema, does that mean that each has different combinations of UN and Passwords?  Or is there something unifying it on the back-end, such as AD?  Assuming everything ties in on the backend for authentication, you can set your portal auth against the centralized AAA server, be it radius, Ldap, etc.  Then when, publishing bookmarks, you can set it to post those credentials or use one of the other SSO methods outlined in the following document:

https://supportforums.cisco.com/message/3202819#3202819

If the authentication structure for all of your web resources is not tied together on the backend, then this becomes even more challenging where SSO may not be a full possibility.  You could, of course, always play a bit with double auth (introduced in 8.2) or the internal password functionality, but this can become somewhat cumbersome to the end user.

New Member

Re: Single Sign on on Clientless SSL VPN

Hi Christopher,

There is Active Directory, so basically I didn't give you the whole picture. I'm positionning ACS whihc will integrate with AD and the whole database of username and passwords will be there.

How can I integrate the aaa http form with the cisco ACS?

Regards

2011
Views
0
Helpful
7
Replies