Home » ASA Appliance, Cisco, Technology

VPN Single Sign On and the new Global Knowledge ASA Essentials Class

Author: Doug McKillip 3 March 2011 9,546 views No Comments

This article is the last in a three-part series that highlights some of the topics covered in the new Global Knowledge ASA Essentials class, an offering intended to provide the student key areas of interest for initially provisioning their security appliance. This article will focus on single sign-on (SSO) in Virtual Private Networks.

A typical user who performs remote access via a clientless SSL VPN will be required to authenticate not only to the secure VPN gateway, but also often to internal web servers as well. Repetitive duplicate authentication is not only time-consuming but cumbersome; consequently, a single sign-on (SSO) mechanism is frequently desirable. The derivation of methods used to implement SSO is almost ten years old now, having been derived from the efforts of the Organization for the Advancement of Structured Information Standards (OASIS). A common standard derived from their efforts, supported by the ASA, is the Security Assertion Markup Language (SAML).

The Cisco ASA supported methods for Single Sign-On with clientless SSL VPN for nearly five years now. Most recently, the appliance was enhanced to support four methods of Single Sign-On:

  • Basic HTTP with/without NT LAN Manager Version 1
  • The HTTP Form method
  • Computer Associates SiteMinder
  • A SAML Version 1.1 server.

Three of these methods are supported within the graphical ASDM interface; one, the HTTP Form method, must be configured using the CLI. As the reference document below indicates, the HTTP Form method requires a browser and an HTTP header analyzer to discover the HTTP Form data which then is entered into the CLI!

In typical implementations, the ASA sends an SSO authentication request and receives an authentication cookie which is locally cached on behalf of the user for their access within their protected domain. This functionality can be further enhanced through the use of both macro substitution of various user-associated attributes into such target applications as Outlook Web Access as well as supplementing clientless SSL VPN plug-ins with the use the cached credentials (such as Remote Desktop).

In conclusion, the SSO concept is continually evolving both in terms of advancement of the standards as well as enhancements to the ASA operating system. To explore (and practice!) how this is actually implemented, be sure to attend the new Global Knowledge ASA essentials class.

Online Community for the Security Assertion Markup Language
Computer Associates SiteMinder

Recommended Course:
ASAE – ASA Essentials

ASA Essentials Series

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Leave your response!

Add your comment below, or trackback from your own site. You can also subscribe to these comments via RSS.

Be nice. Keep it clean. Stay on topic. No spam.

You can use these tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This is a Gravatar-enabled weblog. To get your own globally-recognized-avatar, please register at Gravatar.