Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
888
Views
0
Helpful
2
Replies

Cicso ASA - http_form - authentication cookie - sso

debbiebeitler
Level 1
Level 1

‎02-28-2011 10:49 AM

Trying to implement SSO using Clientless VPN.

Problem is, I can authenticate to the ASA just fine, and SSO works for standard html pages.  The problem I am having relates to a particular site, which incorporates an ActiveX control.  Apparently, when the ASA sees this , it creates a separate tunnel, as the browser is switched from a URL containing the name of the ASA, to the internal URL of the actual web server.  At this point, the user has to re-authenticate.  The reason for this I believe, is that prior to hitting this particular site, the Cisco ASA held the authentication cookie returned by the internal auth server, and when the browser got "redirected", since the client browser did not have this cookie, they are forced to authenticate again, to get a valid auth cookie.

If my understanding is correct, is there any way to get the ASA to pass through the initial auth, cookie to the client, or am I missing something else?

Deb

If you know a better place to post this, pls advise.

Labels:
0 Helpful
2 Replies 2

Yudong Wu
Level 7
Level 7

‎02-28-2011 12:32 PM

There is one way to do this but I am not sure if it work for you.

1. create a bookmark for that new URL.

2. In "Edit Bookmark", click "Advanced Options", where you can specify post parameters for http form based authentication. For example, we can add the following for VMware view access.

submit --> Login
authType-windows-password --> true
windows-password-domain --> 
windows-password-username --> CSCO_WEBVPN_USERNAME
windows-password-password --> CSCO_WEBVPN_PASSWORD

ASA will replace CSCO_WEBVPN_USERNAME and CSCO_WEBVPN_PASSWORD with real username/password automatically for SSO access.

You might need use a tool like HTTPWatch to capture your http packet to see what post parameters are required for your authentication. And then configure the post parameter accordingly.


0 Helpful

debbiebeitler
Level 1
Level 1
In response to Yudong Wu

‎02-28-2011 01:46 PM

Thanks for the reply.

Unfortunately, one thing I neglected to mention in all this, is that the authentication mechinism we are using is RSA SecurID.  Which means that the password the user logs in with, is invalid immediately after it's first use.

User logins into ASA

ASA uses credentials to connect to a web server

web server checks the credentials against SecurID

Will keep this solition in my notes though, as I can see it solving other problems we may have down the road.

Really need some way to get that authentication cookie passed back to the browser.  Or force the web session using ActiveX to pass through the Cisco like a regular web page does.

0 Helpful
Customers Also Viewed These Support Documents