Configure PAM as an Identity Provider (IdP)
You can configure Privileged Access Manager as an Identity Provider (IdP) to provide authentication services to a SAML 2.0 Service Provider (SP).
capam32
HID_ImportSAML2SPMetadataPanel
You can configure
Privileged Access Manager
as an Identity Provider (IdP) to provide authentication services to a SAML 2.0 Service Provider (SP). The PAM
IdP supports the HTTP POST binding for sending messages.This topic contains the instructions to configure
PAM
as an IdP:2
Prerequisites for SAML Configuration
Before you configure the appliance as an IdP, complete the following tasks:
Provision User Accounts at Each Side
The IdP and SP must have user accounts with matching user names. Users must have permission to access resources at the SP.
Configure SAML Global Settings in the UI
Before you configure the IdP configuration, confirm the default SAML settings.
Follow these steps
:- SelectSettings, Global Settings.
- Select theSAMLtab.
- Verify the following two settings:
- Require Inherited SAML Auth:When the authentication method for a user group is set to SAML, this option applies SAML authentication to all user group members. The appliance disregards the authentication method for each individual group member. This setting is selected by default.
- SAML Re-authentication Period (Minutes)This setting applies only whenPAMis the IdP. This setting specifies the minutes of inactivity before a session with aPAMIdP expires. A subsequent SSO request requires the user to log in again. Default: 60 minutes
Obtain a Certificate to Sign Authentication Responses
To sign and encrypt SAML responses for an SP, the
PAM
IdP must have a signed certificate from a Certificate Authority.To obtain an SSL certificate, following these steps:
These steps apply for a single instance of
PAM
and for a cluster. In a cluster, complete the following procedure only
on the first member of the primary site.- In the UI, navigate toConfiguration,Security,Certificates.
- On theCreatepage, selectCSR(Certificate Signing Request). When you create a CSR, the appliance creates the CSR and a private key file.For information about completing the CSR form, see Create a Self-Signed Certificate or a CSR.
- Download the CSR and send it to the Certificate Authority.The Certificate Authority returns a certificate file and a CRL.
- After you have the certificate file, go toConfiguration,Security,Certificates.
- Select theUploadpage and configure the following options:
- Type:Certificate
- Other Options: X509
- SelectUpload. The certificate is now available to the appliance.For a cluster, you must copy the certificate and the private key to all other cluster members. For instructions, continue to the next procedure.
Upload Key/Certificates In a Clustered environment
In a cluster, the IdP configuration is automatically replicated across all cluster members. The certificate is not replicated. You must copy the certificate and private key from the first member of the primary site to every other cluster member.
On the first member of the primary site,
follow these steps
- Go toConfiguration, Security, Certificates.
- Go to theDownloadpage and download the private key file to your local system.
- Create a file using a text editor.
- Into this file, copy the contents of the private key file and the certificate file from the Certificate Authority. The private key file was generated when you created the CSR.
- Save the new file.
On
every other member
of the cluster (excluding the first member of the primary site), follow these steps:
- Log in to the UI and selectConfiguration, Security, Certificates.
- Select theUploadtab and set the following fields:
- Type: Certificate with Private Key
- Other options: PKCS
- SelectChoose fileand select the new, combined file.
- SelectUpload.
Configure
PAM
as an IdPA SAML SSO partnership is between an SP and IdP. The SP has the resources that users request while the IdP has the information to authenticate users who make the requests. The IdP returns an assertion that contains information about the user. The SP uses this information to determine whether to grant access to a user.
In a clustered environment, the appliance replicates the IdP configuration from the first member of the primary site to other members across the cluster. The exception is the key/certificate file that encrypts responses. You manually copied the key/certificate file to each member of a cluster in the previous procedure.
To configure
PAM
as an IdP, follow these steps:- For clustered environments only:At the first member of the primary site, turn off the cluster. If the cluster is active, you cannot enable the IdP settings.
- Go toConfiguration,Security,SAML,IdP Configurationtab.
- Complete the following settings listed:
- Status:Indicates whether the IdP is enabled. Enable this setting to complete the IdP configuration.
- Entity ID:Enter a unique test string to identify this IdP.
- Fully Qualified Hostname: Enteroneof the following values. Ensure you specify the fully qualified host name.
- For a single instance, enter the value of the IdP host name, such as capam.example.com.
- For a primary cluster member, enter the VIP address or VIP host name.
Inform your federation partners to use the fully qualified host name when accessing thePAMIdP. - Signature Algorithm:Select the encryption algorithm to sign certificates.
- IdP Certificate:Select a certificate to sign assertions. Use the default certificate, gkcert.crt, installed withPAMor a certificate that you uploaded in the previous procedure.
- Optionally, selectDownload IdP metadatato generate an XML file and send it to the remote SP.
The configuration is complete. If you change any of these settings, select
Update IdP Configuration
.For details about SAML metadata, see the SAML specifications.
Example: Configure SAML SSO to an AWS SP
The following example shows how to set up federated SSO between a
PAM
IdP and Amazon Web Services (AWS) as the SP. In this example, the configuration relies on metadata.The process is reflected in the following picture:
saml sso with AWS SP
/content/saml_sso_with_aws_sp.png/_jcr_content/renditions/original)
Download IdP Metadata and Send it to the AWS SP
To establish trusted communication between the IdP and AWS SP, first configure and download the IdP metadata file. The downloaded file, named idp-metadata.xml, describes the IdP-supported SAML services. The file contains:
- Information about how an SP can send authentication requests to the IdP
- Certificate (public key) for verifying the signed assertions
- FQDN or IP address of thePAMserverIf you change the FQDN or the certificate changes, update the IdP metadata and resend the file to the SP.
Follow these steps:
This procedure assumes that the IdP is already enabled.
- Log in to thePAMUI as a Configuration Administrator.
- Navigate toConfiguration,Security,SAML. Select theIdP Configurationtab.
- Enter values for the following fields:
- Entity ID: Assign a name that identifies this IdP.This ID is included in the metadata file and in assertions.
- Fully Qualified Hostname: Enter the fully qualified name of the IdP host. The default example is idp.example.com.
- Signature Algorithm:Select the encryption algorithm that is used to sign the IdP certificate
- IdP Certificate:Select the certificate and key you are currently using for the appliance.
- SelectUpdate IdP Configurationto apply the current certificate, host name, and your assigned ID.You receive a confirmation message at the top of the page.
- SelectDownload IdP Metadatato save the idp-metadata.xml file locally.
- At AWS, import the IdP metadata file, as instructed in the next procedure.
Import IdP Metadata to Create an AWS IAM Resource
A
PAM
administrator sends the IdP metadata to AWS. An AWS Administrator must import the metadata file to its SP endpoint. The file provides the necessary information for AWS to make authentication requests to PAM
.CAUTION!
The following procedure describes a product that is independent of CA Technologies
. The procedure is provided only as an example. You might encounter different features or different appearance.An AWS administrator must follow these steps
:- Log in to the AWS Management Console and navigate toServices,IAM,Identity Providers.
- SelectCreate Providerand complete the following settings:
- Provider Type:Select SAML.
- Provider Name:Enter a name to identify thePAMIdP.
- Metadata Document:Locate the IdP metadata sent by thePAMAdministrator.
- SelectNext Stepthen confirm the configuration by selectingCreate.
- In the left pane, selectRoles, Create New Role.
- Enter aRole Name, and selectNext Step.
- On the Select Role Type page:
- SelectRole for Identity Provider Access
- SelectGrant Web Single Sign-On (WebSSO) access to SAML providers
- In the next panel, select the SAML provider that you created in the previous steps. SelectNext Step.
- Continue pasttheVerify Role Trustpage. In this example, you do not need to edit the Verify Role Trust: Policy Document.
- On theAttach Policypage, we recommend that you use select one of the pre-built policy templates, such asAmazon EC2 Read Only Access. If you are testing on a public EC2 instance, do not let others log in to your box. SelectNext Step.
- Review the confirmation then selectCreate Role. Your new role appears in the roles list.
Your AWS account is now configured to communicate with the
PAM
IdP.Import AWS SP Metadata at the IdP
AWS uses the concept of roles for authentication. When the IdP generates the authentication response, the assertion must contain role data for the user being authenticated. The role definition and other information are in the AWS SP metadata. The file also includes the attributes the SP expects in the IdP authentication response.
The AWS SAML metadata file is available at: https://signin.aws.amazon.com/static/saml-metadata.xml. After you obtain the file, import it into
PAM
.Follow these steps:
- Log in to thePAMUI as a Configuration Administrator.
- SelectServices,Import SAML 2 SP Metadata.
- SelectChoose fileand browse to the AWS SP metadata file.
- SelectImport SAML 2.0 SP Metadata. A message confirms the import.After the import, the appliance creates two objects:
- A web portal service. The name of the service matches the SP Entity ID in the metadata file. In this example, the service is calledAWS Management Console Single Sign-On.
- A device with an address of the Assertion Consumer Service at the SP.
- Navigate toServices,TCP/UDP Servicesand select the new web portal service and update it.
- Ensure that the Auto Login Method field is set to SAML2.0 SSO POST.
- Select theSAML SSOInfotab and configure the following fields:
- Initiating Party: SelectIdP-Initiated
- Require Signed Authn Requests: Clear the checkbox. The AWS SP does not send signed authentication requests.
After you complete the procedures,
PAM
can provide an assertion to AWS. Based on the assertion, AWS can permit access to the requested resource.Create a Policy for Users to Access to AWS Resources
For a user to gain access to an AWS resource, set up a policy for that user at the appliance. The policy is made up of a TCP/UDP service and a device that the appliance automatically creates when you imported the SP metadata. The policy also includes selected attributes that the AWS SP accepts in the assertion response.
Follow these steps:
- Log in to thePAMUI.
- SelectPolicy, Manage Policies, Add.
- On theAssociationpanel, select a user and the devicesignin.aws.amazon.com. This device is the one automatically generated based on the SP metadata.
- On theServicespanel, select theAWS Management Console Single Sign-Onservice.
- On theSAMLpanel, add the following attributes under theRequested Attributescolumn:
- Subject Name Identifier: The available name identifier format isassociated with the TCP/UDP service
- RoleSessionName: Assign a label in theAttributecolumn. Use any identifier.
- RoleEntitlement: Select Constant in theAttributecolumn. In theValuecolumn, enter the concatenated AWS ARNs for the IAM role and the Identity Provider, separated by a comma. For example:arn:aws:iam::123456789012:role/MyAWSroleForMyIDP,arn:aws:iam::123456789012:saml-provider/AWSstoredMetadataForMyIDPThe following picture shows an example:
/content/aws_sample_policy.png/_jcr_content/renditions/original)
- SelectOKto save the policy.
The user can now access the AWS federated resource without having to log in.
Example: Configure SAML SSO to a Google SP
You can work with an SP that does not provide metadata. In this example,
PAM
IdP is configured for SSO with a Google SP. Google does not use metadata to exchange information to or from its partners.The process is reflected in the following picture:
SAML SSO Google Example
/content/saml_sso_google_example.png/_jcr_content/renditions/original)
Identify the
PAM
IdP at GoogleAt Google, the
PAM
IdP must be configured so it can authenticate Google accounts.The following procedure describes a product that is independent of
CA Technologies
. The procedure is provided only as an example. You might encounter different features or appearance.Follow these steps:
- Log in to the Google Admin Console (https://admin.google.com).
- From the main menu at the top left, select the Security, then scroll down the page and selectSet up single sign-on (SSO).
- Scroll down the page and select the checkboxSetup SSO with third party identity provider.
- Enter values for the following fields:
- Sign-in page URL:https://capam_IP_or_hostname/idp/profile/SAML2/Redirect/SSO
- Sign-out page URL:PAMdoes not support single sign-out. Enterhttps://capam_ip or hostname/as a placeholder.
- Change password URL:PAMdoes not support password changes. Enter https://capam_ip or hostname/ as a placeholder.
- Verification certificate: Upload the certificate fromPAMIdP. This certificate works with the private key that is used to sign the SAML response. To obtain this certificate, takeoneof the following actions:
- Copy the certificate from the IdP metadata file.
- Download the certificate from the appliance. SelectPAMConfiguration,Security,Certificates, and go to theDownloadtab.
- SelectUse a domain-specific issuer.
- Optionally, to allow a specific set of users access to the application, specify entries in theNetwork masksfield.
- Continue to the next procedure.
Configure a
PAM
Service to Authenticate Google UsersSet up a service at the IdP that represents the Google SP. No metadata is available to set up this service. Obtain the necessary information from the SP.
Follow these steps:
- Log in to thePAMUI.
- Navigate toServices, Manage TCP/UDP Services, Add.
- On theBasic Infopanel, configure the settings with the following values:
- Service Name: Entity ID of the Google SP. For this example, GoogleApps.
- Local IP: Address of the end-user local host, such as the user laptop, in the format 127.0.0.5. Do not use an address of an existing service.
- Ports. Enter the ports of the local host, such as 443:4430.
- Protocol:TCP
- Application Protocol:Web Portal.
- Auto Login Method:SAML2.0 SSO POST
- Launch URL:URL for the ACS, using the format: https://<Local IP>:<First Port>/a/google_domain/acsEnter the literal string<Local IP>:<First Port>. These entries arenotplaceholders. Replacegoogle_domainwith the domain of your Google services, such as calendar or email. This domain is the location consuming SAML assertions.
- In theSAML SSOInfopanel, configure the fields with the following values
- SAML Entity ID: google.com/a/google_domain
- Initiating Party: SP-initiated
- Require Signed Authn Requests: Clear the checkbox.
- Encryption: Select None. Google applications do not support encrypted assertions.If the SP does support encryption, you can select theName IDorAssertionoption. Then, copy the certificate from the SP in thePEM Encryption Certificatefield.
- On theSAML SSO Attributes page,select the name identifier format urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
- SelectOK.
Create a Device Representing Google
Add a device that identifies the Google SP.
Follow these steps:
- SelectDevices, Manage Devices, Add.
- Most of the fields are self-explanatory, but note the following entries:
- Address: Enter the fully qualified domain name of the server hosting the ACS. You can extract the address from the ACS URL, for example: https://www.google.com/a/your_google_domain/acs. The device address that is provisioned inPAMis www.google.com.
- Device Type:Access
- Servicestab: Select theTCP/UDP service that you configured for the SP in the previous procedure.
- SelectOKto save the device entry.
Create an IdP User Matching the SP User
Create a user with a user name matching a Google user account that can log in to applications.
Follow these steps:
- SelectUsers, Manage Users, Add.
- Most of the fields on the tabs are self-explanatory.
- In the Roles panel, select the applicable user role for the user logging in toPAMsimply to access the SP.
- SelectOKto save the user entry.
Create a Policy for Users to Access to Google Applications
For a user to gain access to a Google application, set up a policy for that user at the appliance. The policy is made up of a TCP/UDP service, the device, and the user entry you created in the previous procedures.
Follow these steps:
- Log in to thePAMUI.
- SelectPolicy, Manage Policies, Add.
- On theAssociationpanel, select a user and the device with the namewww.google.com.
- On theServicespanel, select theGoogleApps.
- On theSAMLpanel, add the following attribute entry: Attribute entry with the following values:
- Requested Attribute:Subject Name Identifier. This attribute is always required.
- Name Identifier Format: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
- Attribute:Email
- SelectOKto save the policy.
The user can now single sign-on to the Google application.
SAML SSO User Experience
When a user makes a request, there are two types of communication flows:
- IdP-initiated: The user starts at the IdP and gets redirected to the SP.
- SP-initiated: The user begins at the SP and the SP sends an authentication request to the IdP. The IdP responds with an assertion, which identifies the user.
The two SAML SSO configuration examples illustrate each type of flow.
IdP-initiated SSO to the AWS Management Console
In the AWS example, the service you configured to the AWS Management Console is for IdP-initiated SSO.
The SSO flow follows these steps:
- The user logs in toPAMand the Access page in the UI is displayed.
- On the Access page is a link to AWS Management Console Single Sign-On.
- The user selects the link and gains access to the Console directly without entering credentials.
SP-Initiated SSO to Google Apps
For SP-initiated communication, initiate the connection at the Google. Typically, the user has the access URL to the SP.
The following procedure describes a product that is independent of
CA Technologies
. The procedure is provided only as an example. You might encounter different features or appearance.The SSO flow follows these steps:
- In a browser, the user enters the URL to Google: https://accounts.google.com/
- At the login, the user enters their user name.
- The SP redirects the user to thePAMIdP.
- If the user has not authenticated,PAMpresents the login page. The user logs in and the IdP authenticates that user.
- Following authentication, the IdP redirects the user back to Google with the assertion. The user is logged in automatically to Google.