Configure PAM as the Relying Party (RP)
You can configure PAM to act as a SAML Relying Party (RP). An RP consumes an assertion to authenticate users. Upon successful authentication, the RP allows access to the requested services that it provides.
capam34
You can configure
Privileged Access Manager
to act as a SAML Relying Party (RP). An RP consumes an assertion to authenticate users. Upon successful authentication, the RP allows access to the requested services that it provides.The UI uses the term RP to refer to the relying party. This term is synonymous with Service Provider (SP).
The following sections explain how to configure a
PAM
RP:Prerequisites for SAML Configuration
Before you configure
PAM
to act as an RP, there are some initial tasks to complete:- Provision user accounts
- Configure SAML Global Settings
- Obtain a Certificate to Sign Authentication Requests
These prerequisite steps are described in the next few sections.
Provision User Accounts at Each Side
The SP and IdP must have user accounts with matching user names. Users must have permission to access resources at the SP.
Configure SAML Global Settings
Before you configure the RP configuration, confirm the default SAML settings.
Follow these steps:
- SelectSettings, Global Settings.
- Select theSAMLtab.
- Verify the following two settings:
- Require Inherited SAML Auth:When the authentication method for a user group is set to SAML, selecting this option applies SAML to all user group members. The individual authentication method is disregarded. This setting is selected by default.
- SAML Re-authentication Period (Minutes)This setting applies only whenPrivileged Access Manageris the IdP. This setting specifies the minutes of inactivity before a session with aPAMIdP expires. A subsequent SSO request requires the user to log in again. Default: 60 minutes
Obtain a Certificate to Sign Authentication Requests
A certificate for the SP is necessary to encrypt such items as an authentication request. Obtain an SSL certificate for your
PAM
fully qualified domain. Follow these steps:
- Navigate toConfiguration,Security,Certificates.
- On the Create tab, select CSR (Certificate Signing Request). For more information, see Create a Self-Signed Certificate or a Certificate Signing Request.Use the CSR to obtain a certificate, CA chain, and CRL from your applicable Certificate Authority.
- After you obtain these files, upload them. Go toConfiguration,Security,and select theUploadtab. Select and upload the appropriate files.
- Go to theSettab to accept the certificate.
Configure
PAM
as the RPA SAML SSO partnership is a Relying Party (RP) and an Identity Provider (IdP). The RP has the resources that users request while the IdP has the information to authenticate users who make the requests. The IdP returns an assertion that contains information about the user. The RP uses this information to determine whether to grant access to a user.
If
PAM
is the RP, you configure the RP configuration. You also specify the remote IdP partner.Configure the RP
For details about the data you are entering and what it looks like in the SAML metadata, see the SAML specifications.
Follow these steps:
- Go toConfiguration,Security,SAML,RP Configurationtab.
- On the RP Configuration page, select theConfigurationtab.
- Complete the following settings:
- Entity ID(required): A text string that Identifies the RP. This ID must be unique. Example: mypam-r
- Friendly Name:A name that identifies this RP.
- Fully Qualified Hostname: Enteroneof the following values. Ensure you specify the fully qualified host name.
- For a single instance, enter the value of the IdP host name, such as http://capam.example.com/.
- For cluster members, enter the host name, such as http://capam.example.com/, or the RP IP address can be entered for each member of the cluster.Note: Donotenter the VIP Address for the RP cluster. For a primary cluster member, enter the VIP address or VIP host name.
Inform your federation partners to use the fully qualified host name when accessing thePAMRP. - Description: Describes the RP.
- Organization Name:Enter the name of the company or other organization responsible for this RP.If an ADFS entity is acting as the IdP, specify the organization for thePAMRP configuration. Otherwise, the RP metadata file cannot be imported by the ADFS IdP.
- Organization URL:Enter the URL for the company or other organization responsible for this RP.
- Administrative Contact Name:Enter the name of the administrative contact for this RP.
- Administrative Contact Email:Enter the email of the administrative contact.
- Certificate Key Pair(required): Select from the uploaded certificate files on thisPAMRP (through Configuration, Security, Certificates, Upload) the desired SSL certificate + private key concatenated file.
- Accept RSA-SHA1 Signed Responses:Select if you want to accept RSA SHA1 signature method when presented.
- SAML IdP Metadata Refresh Mode: To specify a schedule for refreshing IdP metadata, specifyHourlyorDaily. (The document from which to read IdP metadata must be specified in theMetadata Refresh Source URLfield on theConfigured Remote SAML IdPtab.)
- SelectSave Configuration.
Identify the Remote Identity Provider
The
PAM
RP sends authentication requests to one or more IdP to authenticate a user requesting a resource. Identify each remote IdP partner. The buttons on this page become active after you specify and save the required fields in the Configuration tab for the RP.PAM
can act as an IdP independent of the RP.If your deployment is clustered and you are configuring CA Single Sign-On as a remote Identity Provider, the following option must be set in the IdP configuration settings in the CA Single Sign-On product:
On the
SSO and SLO
dialog, set theAccept ACS URL in the Authnrequest
(located in the SSO section).For more information, see SSO and SLO Dialog (SAML 2.0 IdP) in the CA Single Sign-On documentation.
Follow these steps:
- On the RP Configuration page, select theConfigured Remote SAML IdPtab.
- Define the IdP inoneof the following ways:
- SelectUpload An Identity Provider Metadataand create an IdP record from the imported metadata document that is obtained from the remote IdP.
- SelectAddand manually create an Identity Provider (IdP) record on the dialog that opens. After you populate the necessary fields, selectSave Configuration. The following fields are in the Add Identity Provider dialog:
- Friendly Name(required): Assign a name for this IdP.
- Organization Name: Enter the name of the company or other organization responsible for this IdP.
- Entity ID(required): Enter a unique text string that Identifies the RP. Example:IdPserverA
- Description: Enter an optional description for the remote IdP.
- Single Sign On Protocol Binding(required): Select the protocol binding for the remote IdP: HTTP-Redirect or HTTP-POST.
- Single Sign On Service(required): Enter the URL of the SSO service at the remote IdP. Example: https://rp.example.com/idp/profile/SAML2/POST/SSO
- Allow Just In Time Provisioning: Select this checkbox to enablePAMto provision new user accounts from SAML at the SP. If you include theuserGroupattribute in the assertion, ensure that the group exists at the SP or the user is not provisioned. See the JIT Provisioning section.
- Certificate(required): This certificate decrypts the signed assertion from the remote IdP.
- Sign Authentication Requests: Select this checkbox if the remote IdP requires signed authentication requests.
- Signature Algorithm: Select the signature algorithm from the provided options.
- Authentication Contexts: Select the applicable authentication contexts for this IdP.
- Require Encrypted Assertions: If you require the remote IdP to encrypt assertions, select this checkbox.
- Enable Holder of Key Support: If you requirePAMto be configured for smartcard authentication, select this checkbox.
- Metadata Refresh Fingerprint: Specify the fingerprint of the certificate that is used to validate the signature of an IdP that signs its metadata.
- Metadata Refresh Source URL: Specifies the URL of a document from which to periodically refresh Identity Provider data. (Only used if theSAML IdP Metadata Refresh Modeoption on theRP Configurationtab is set to Hourly or Daily).
Most of the remaining buttons on the page are self-explanatory. Note the following options:
- Test: Select the Test button to test the connection to the associated IdP.
- Download Metadata:Select the Download link to get the RP metadata file for this IdP. You can then import it into the IdP and establish trust of this RP.
Example: Configuring SAML SSO with
PAM
The following example illustrates how to establish SAML single sign-on between two
PAM
servers acting as SAML partners.In the procedures that follow:
- The RP and the IdP are bothPAMappliances.
- Metadata files are used to define each partner to one another.
Import IdP Metadata to the RP
The IdP metadata file is an XML file that describes the SAML services that the IdP provides. The document contains information about how an SP can send authentication requests to the IdP. The file contains the certificate (public key) that the IdP uses to sign all assertions. Finally, the file includes the fully qualified domain name (or IP address) of the IdP. Therefore, any time the FQDN or the certificate changes, update the IdP metadata and upload the file to the SPs.
Download the metadata file:
- Log in to thePAMIdP as a Configuration Administrator.
- Navigate toConfiguration,Security,SAML,and select theIdP Configurationtab.
- Following a change in the appliance hostname or the default certificate, update the IdP settings as follows:
- InEntity ID, assign a unique name to identify this IdP.This ID gets included in the IdP metadata file and in the assertions the IdP generates.
- InFully Qualified Hostname, enter the value that is used for this RP, such as: mypam.example.com
- From the drop-down list forIdP Certificate, select the certificate and private key pair.
- SelectUpdate IdP Configurationto apply the current certificate, hostname, and your assigned ID.
- Upon changing your hostname, selectAccept IdP Certificatein that panel.
- SelectDownload IdP Metadatato save the metadata file locally.
- Upload the metadata to the RP
Upload the metadata to the RP:
- Log in to the RP as a Configuration Administrator.
- Navigate toConfiguration,Security,SAML, RP Configurationtab.
- At the minimum, complete the required fields.
- SelectSave Configuration.
- Identify at least one corresponding IdP by clickingUpload An Identity Provider Metadata.Browse to the metadata file from the IdP and selectUpload.
- Move to the Set tab and accept the file.
The IdP is now identified by its
Friendly Name
, if available, and its Entity ID
.Import the SP Metadata to the IdP
This
PAM
RP is now aware of the IdP by way of the imported IdP metadata file. Use an SP metadata file to identify itself to the IdP. The RP and IdP know can then communicate with each other.Download the SP metadata:
- If you are not already there, navigate toConfiguration,Security,SAML, andselect the RP Configuration tab, Configured Remote SAML IdP section.
- Identify the line item for the IdP that you are looking for.
- Select theDownload Metadatalink for this IdP and select it to save this SP metadata file locally.
Upload the SP metadata to the IdP:
- Log in to the IdP as a Configuration Administrator.
- SelectServices,Import SAML 2 SP Metadatato open the import page.
- Choose Fileto locate the XML file that you obtained from the SP.
- Select theImport SAML 2 SP Metadatabutton it to upload it to IdP.After you do so, you will see several acknowledgment messages. If there are errors, they are noted in red.
- Confirm that a Service record has been created underServices,Manage TCP/UDP Services, with aService Namematching the IdP SAML Entity ID. Select theUpdatebutton to see the details. The record has the following information:
- Typical specifications for a Web Portal, withAuto Login Method="SAML2.0 SSO POST"
- Launch URL, which is the Assertion Consumer Service URL
- SAML SSO Infotab with the SAML Entity ID
- SAML SSO Attributestab with SAML SSO Subject Name Identifier Formats and SAML SSO Attributes
- InDevices,Manage Devices, verify that a Device record has been created withNameandAddressmatching the IdP SAML-applicable FQDN.
Provision SSO Access Policy
The SP and IdP have been configured to trust each other. Now you can provision the IdP to permit its users to access the SP services.
When you open a policy for the SP (for a particular user or user group), select the corresponding RP service. The service is identified by Entity ID. This action opens the SAML tab so that its attributes can be specified.
You might need to revise the SAML attributes so that they are sufficiently identified. The SAML Name Identifier Format is initially not specified. If this value is missing, select one of the available options so that the
xAttribute
becomes available.SAML SSO User Experience
After you set up SAML SSO, a
Single Sign On
option becomes available on the login screen of the PAM
UI.The following process assumes an RP-initiated connection:
- The user requests a resource at the RP by selectingSingle Sign Onat the login screen.
- The user is alerted that the login proceeds with authentication at a different target, the IdP. If there are multiple IdP targets, the user must select one from the drop-down list, then selectENTER.
- The User is then brought to the login page for the IdP. NoSingle Sign Onoption is available at the IdP.
- The User enters the required credentials.
- The IdP has authenticated the user, its task is complete. Control is handed back to the SP, where the user is granted access to the application.
JIT Provisioning
Just-in-time (JIT) SAML provisioning in
PAM
enables the provisioning of new user accounts from SAML assertions.For JIT Provisioning to work effectively, follow these guidelines:
- CreatePAMuser groups that match user groups that are used in the SAML assertion.
- Use theuserGroupattribute in the assertion for these user groups.
- The user must belong to an existing user group of the user is not provisioned, and authentication fails. The user is redirected to the login page.
- The user can belong to multiple user groups.
- If a user later logs in with a different set of user groups, the user moves to those user groups.
- Entitlements for users are defined by the user groups.
- As an administrator, you cannot manage user group membership inside the appliance. You can manage membership only using assertions.
- This user group behavior only works for users that are provisioned using JIT provisioning.
JIT Provisioning User Groups Examples
The following examples illustrate how the SAML
userGroup
attribute interacts with user groups. For these examples, the following user groups are configured in PAM
: Group A, Group B, Group C, Group D.- The SAML assertion contains Group A and Group C. The user is provisioned in those user groups
- If the assertion contains only Group E, the JIT provisioning and authentication fail. The user is redirected to the login page.
- A user belongs to Group A and Group C and the assertion contains Group B and Group D. The user account moves from Group A and Group C to Group B and Group D.
Configure JIT Provisioning
Follow the same instructions that are found in Configure
PAM
as the RP. When you get to the Configured Remote SAML IdP
step on the RP Configuration page, either Upload
or Add
the IdP information as instructed.- If you selectAddand you manually create an Identity Provider (IdP) record, select theAllow Just In Time Provisioningcheckbox.
- If you selectUpload An Identity Provider Metadataand you create an IdP record from the imported IdP metadata document, selectUpdateafterwards. Select theAllow Just In Time Provisioningcheckbox.
Select
Save Configuration
.