VPN Single Sign On and the new Global Knowledge ASA Essentials Class
This article is the last in a three-part series that highlights some of the topics covered in the new Global Knowledge ASA Essentials class, an offering intended to provide the student key areas of interest for initially provisioning their security appliance. This article will focus on single sign-on (SSO) in Virtual Private Networks.
A typical user who performs remote access via a clientless SSL VPN will be required to authenticate not only to the secure VPN gateway, but also often to internal web servers as well. Repetitive duplicate authentication is not only time-consuming but cumbersome; consequently, a single sign-on (SSO) mechanism is frequently desirable. The derivation of methods used to implement SSO is almost ten years old now, having been derived from the efforts of the Organization for the Advancement of Structured Information Standards (OASIS). A common standard derived from their efforts, supported by the ASA, is the Security Assertion Markup Language (SAML).
The Cisco ASA supported methods for Single Sign-On with clientless SSL VPN for nearly five years now. Most recently, the appliance was enhanced to support four methods of Single Sign-On:
- Basic HTTP with/without NT LAN Manager Version 1
- The HTTP Form method
- Computer Associates SiteMinder
- A SAML Version 1.1 server.
Three of these methods are supported within the graphical ASDM interface; one, the HTTP Form method, must be configured using the CLI. As the reference document below indicates, the HTTP Form method requires a browser and an HTTP header analyzer to discover the HTTP Form data which then is entered into the CLI!
In typical implementations, the ASA sends an SSO authentication request and receives an authentication cookie which is locally cached on behalf of the user for their access within their protected domain. This functionality can be further enhanced through the use of both macro substitution of various user-associated attributes into such target applications as Outlook Web Access as well as supplementing clientless SSL VPN plug-ins with the use the cached credentials (such as Remote Desktop).
In conclusion, the SSO concept is continually evolving both in terms of advancement of the standards as well as enhancements to the ASA operating system. To explore (and practice!) how this is actually implemented, be sure to attend the new Global Knowledge ASA essentials class.
ASAE — ASA Essentials
ASA Essentials Series
- VPN Failover and the new Global Knowledge ASA Essentials Class
- VPN Single Sign On and the new Global Knowledge ASA Essentials Class