Perhaps someone has a good idea how to solve this:
The user logs in to the SSL VPN.
We ge his password at login time. We have enabled SSO to a backend webserver that is protected by a basic authentication. So the SSL VPN posts the password to the backend webserver and we have SSO and can seamless access the backend content. (the SSP VPN and the Apache use different authentication stores)
Ok, till here it's all standard, because the users have the same passwords in both systems.
But the backend webserver is connected to another authentication source than the SSL VPN.
So it can happen that the password of the user is expired in the backend apache system, but he can still log in to the SSL VPN.
In this case the user is challenged by the SSL VPN with a HTML page (the rendering of the backend basic auth page). Here the user tries to login again and clearly it's not working.
Is there a way to disable this intermediate login page that pop ups after the SSL VPN login? So the user will get only an error and not a login page of the backend webserver?
Just in case my description was not clear enough:
If I had an Apache Reverse Proxy instead of the SSL VPN ;-) I could solve it with the following directive in the httpd.conf:
Header unset WWW-Authenticate
Is there something similar in the SSL VPN Appliance?