Wednesday, July 28, 2010

Single Sign on with Cisco SSL VPN and Sharepoint

We just deployed sharepoint at my job and I was looking for a way to have a single sign on with our ssl vpn using our Cisco ASA and Sharepoint. I was looking at cisco forums and couldn't get any answer. After playing around with the ASA settings 4 hours later, I was able to make it work and it was so simple to do. Make sure that you are using the same authentication you are using with SSL VPN and Sharepoint. Our VPN SSL is setup using LDAP or NTDomain authentication. With SSO enable, it will pass the credential you use to log in to SSL VPN to Sharepoint.

First you have to enable single sign by going in to

Configuration->Clientless SSL VPN Access->Group Policy choose the policy you want to enable single sign on click edit-> more options -> single sign on and click add
URI=*
Auhtentication Type=Basic,NTLM, and FTP click OK.



Then go to Configuration->Clientless SSL VPN Access->Portal Customization If you don't have a customize page yet click add and name it SharepointSSO you can name it anything you want then click Edit, another browser will open up.







Under Portal on the left side disable everything in title panel, toolbar, navigation panel, application. Under Homepage choose
Mode=Custom Intranet Web Page
Custom Intranet Web Page URL=http://sharepointserver/_layouts/Authenticate.aspx (The site that let the users authenticate)
URL List Mode= No Group.



Save the custom page and login to your SSL VPN. You should automatically log in to sharepoint.


There are other ways to accomplish this but this is the simplest way so far. There is also a post plugin that you can download and use but I couldn't get it to work at the time I was doing this. Please let me know if you tried the same settings I did and how it work for you.

This settings also works with Citrix Web Interface as long as the client detection feature is NOT enabled.

5 comments:

  1. Are you able to check out files on Sharepoint to edit them? I have not been able to get that part to work for me.

    ReplyDelete
  2. I'm not really involve with the sharepoint deployment. Everything here was done in the ASA. All it does is pass the credential to sharepoint.

    ReplyDelete
  3. This worked great.

    I used this for other internal TCP/HTTP sites (timeclock app that requires domain authentication, etc...).

    However, I now have an issue on an internal site that requires JRE (JavaRuntime) and the page comes up but Java never loads.

    Great post!

    ReplyDelete
  4. Try enabling smart tunnel for this internal site. Also does it use a different port than http or https?

    ReplyDelete
  5. Thanks! Worked well for our asa-sharepoint2010 connection.

    ReplyDelete