Cisco ASA Series Cli Configuration Manual page 1824

Using Single Sign-on with Clientless SSL VPN
Detailed Steps
Note
Command
Step 1
tunnel-group general-attributes
Step 2
password-management
Step 3
password-expire-in-days
Step 4
Enter number of days
Example:
hostname(config)# tunnel-group testgroup type webvpn
hostname(config)# tunnel-group testgroup
general-attributes
hostname(config-general)# password-management
password-expire-in-days 90
Using Single Sign-on with Clientless SSL VPN
Single sign-on support lets users of clientless SSL VPN enter a username and password only once to
access multiple protected services and web servers. In general, the SSO mechanism either starts as part
of the AAA process or just after successful user authentication to a AAA server. The clientless SSL VPN
server running on the ASA acts as a proxy for the user to the authenticating server. When a user logs in,
the clientless SSL VPN server sends an SSO authentication request, including username and password,
to the authenticating server. If the server approves the authentication request, it returns an SSO
authentication cookie to the clientless SSL VPN server. The ASA keeps this cookie on behalf of the user
and uses it to authenticate the user to secure websites within the domain protected by the SSO server.
This section describes the four SSO authentication methods supported by clientless SSL VPN: HTTP
Basic and NTLMv1 (NT LAN Manager) authentication, the Computer Associates eTrust SiteMinder
SSO server (formerly Netegrity SiteMinder), and Version 1.1 of Security Assertion Markup Language
(SAML), the POST-type SSO server authentication.
This section includes:
•
•
•
•
Cisco ASA Series CLI Configuration Guide
1-16
This command does not change the number of days before the password expires, but rather, the
number of days ahead of expiration that the ASA starts warning the user that the password is
about to expire.
Configuring SSO with HTTP Basic or NTLM Authentication, page 1-17
Configuring SSO Authentication Using SiteMinder, page 1-18
Configuring SSO Authentication Using SAML Browser Post Profile, page 1-20
Configuring SSO with the HTTP Form Protocol, page 1-23
Chapter 1 Configuring Clientless SSL VPN
Purpose
Switches to general-attributes mode.
Notifies remote users that their password is about to
expire.
Specifies when the password expires.
If you specify the keyword, you must also specify
the number of days. If you set the number of days to
0, this command is disabled.
Note
The ASA does not notify the user of the
pending expiration, but the user can change
the password after it expires.
Sets the days before password expiration to begin
warning the user of the pending expiration to 90 for
the connection profile "testgroup."