Cisco ASA 5505 Configuration Manual page 1495

Chapter 67 Clientless SSL VPN
Configuring SiteMinder and SAML Browser Post Profile
SSO authentication with SiteMinder or with SAML Browser Post Profile is separate from AAA and
occurs after the AAA process completes. To set up SiteMinder SSO for a user or group, you must first
configure a AAA server (RADIUS, LDAP and so forth). After the AAA server authenticates the user,
the clientless SSL VPN server uses HTTPS to send an authentication request to the SiteMinder SSO
server.
In addition to configuring the adaptive security appliance, for SiteMinder SSO, you also must configure
your CA SiteMinder Policy Server with the Cisco authentication scheme. See
Authentication Scheme to
For SAML Browser Post Profile you must configure a Web Agent (Protected Resource URL) for
authentication. For the specifics of setting up a SAML Browser Post Profile SSO server, see
POST SSO Server
Fields
•
•
•
•
•
•
•
•
Modes
The following table shows the modes in which this feature is available:
Firewall Mode
Routed
•
SAML POST SSO Server Configuration
Use the SAML server documentation provided by the server software vendor to configure the SAML
server in Relying Party mode. To configure the SAML Server for Browser Post Profile, perform the
following steps:
OL-20339-01
SiteMinder.
Configuration.
Server Name—Display only. Displays the names of configured SSO Servers. The minimum number
of characters is 4, and the maximum is 31.
Authentication Type—Display only. Displays the type of SSO server. The adaptive security
appliance currently supports the SiteMinder type and the SAML Browser Post Profile type.
URL—Display only. Displays the SSO server URL to which the adaptive security appliance makes
SSO authentication requests.
Secret Key—Display only. Displays the secret key used to encrypt authentication communications
with the SSO server. The key can be comprised of any regular or shifted alphanumeric character.
There is no minimum or maximum number of characters.
Maximum Retries—Display only. Displays the number of times the adaptive security appliance
retries a failed SSO authentication attempt. The range is 1 to 5 retries, and the default number of
retries is 3.
Request Timeout (seconds)—Display only. Displays the number of seconds before a failed SSO
authentication attempt times out. The range is 1 to 30 seconds, and the default number of seconds is
5.
Add/Edit—Opens the Add/Edit SSO Server dialog box.
Delete—Deletes the selected SSO server.
Security Context
Transparent Single
— •
Multiple
Context System
— —
Cisco ASA 5500 Series Configuration Guide using ASDM
SSO Servers
Adding the Cisco
SAML
67-31