This section describes using the HTTP Form protocol for SSO.
HTTP Form protocol is an approach to SSO authentication that can also qualify
as a AAA method. It provides a secure method for exchanging authentication
information between users of Clientless SSL VPN and authenticating Web servers.
You can use it in conjunction with other AAA servers such as RADIUS or LDAP
The ASA again serves as a proxy for users of Clientless SSL VPN
to an authenticating Web server but, in this case, it uses HTTP Form protocol
and the POST method for requests. You must configure the ASA to send and
receive form data.
To configure SSO with the HTTP protocol correctly, you must have
a thorough working knowledge of authentication and HTTP protocol exchanges.
As a common protocol, it is applicable only when the following
conditions are met for the Web server application used for authentication:
The following figure illustrates the SSO authentication steps,
Figure 1. SSO Authentication Using HTTP Forms
- A user of Clientless SSL VPN
first enters a username and password to log on to the Clientless SSL VPN server
on the ASA.
- The Clientless SSL VPN server
acts as a proxy for the user and forwards the form data (username and password)
to an authenticating Web server using a POST authentication request.
- If the authenticating Web
server approves the user data, it returns an authentication cookie to the
Clientless SSL VPN server where it is stored on behalf of the user.
- The Clientless SSL VPN server
establishes a tunnel to the user.
- The user can now access other
websites within the protected SSO environment without re-entering a username
While you would
expect to configure form parameters that let the ASA include POST data such as
the username and password, you initially may not be aware of additional hidden
parameters that the Web server requires. Some authentication applications
expect hidden data which is neither visible to nor entered by the user. You
can, however, discover hidden parameters the authenticating Web server expects
by making a direct authentication request to the Web server from your browser
without the ASA in the middle acting as a proxy. Analyzing the Web server
response using an HTTP header analyzer reveals hidden parameters in a format
similar to the following:
<param name>=<URL encoded value>&<param name>=<URL encoded>
Some hidden parameters are mandatory and some are optional. If
the Web server requires data for a hidden parameter, it rejects any
authentication POST request that omits that data. Because a header analyzer
does not tell you if a hidden parameter is mandatory or not, we recommend that
you include all hidden parameters until you determine which are mandatory.
To configure SSO with the HTTP Form protocol, you must perform
Configure the uniform resource identifier on the authenticating
Web server to receive and process the form data (action-uri).
Configure the username parameter (user-parameter).
Configure the user password parameter (password-parameter).
You may also need to do the following tasks depending upon the
requirements of authenticating Web server:
Configure a starting URL if the authenticating Web server
requires a pre-login cookie exchange (start-url).
Configure any hidden authentication parameters required by the
authenticating Web server (hidden-parameter).
Configure the name of an authentication cookie set by the
authenticating Web server (auth-cookie-name).