SAML Integration of CA Single Sign On with CA PAM

book

Article ID: 131491

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Privileged Access Manager (PAM) CA Single Sign-On

Issue/Introduction

This article provides in depth information to assist in setting up the SAML integration.
 

Environment

CA Single Sign-On 12.8 SP1
CA Privileged Access Management 3.2.3

Agreement
IDP EntityID : siteminder.test.lab
SP EntityID : https://pam323.test.lab

User Directory:
Both CA SSO and CA PAM are pointing to the same Active Directory

 

Resolution

Step1: Generate Certificate
This need to be done at both side, the CA SSO(IDP) and the CA PAM(SP).
CA SSO will be signing the Assertion and CA PAM will sign the AuthnRequest.
The same certificate can be used for https as well.

Please refer to following KB for PAM server side. Same can be applied to CA SSO.
https://comm.support.ca.com/kb/pam-and-server-certificate/kb000130160

Step2: Exchange Certificates
This is usually done through exchange of MetaData(xml).
But in case if the certificate does not get imported then you will need to manually import the certificates.

IDP(CA SSO) need to share its public certificate and its CA certificate chain to SP(CA PAM)
"pam323" is the certificate from SP. "test-root-ca" is the CA certificate.

<Please see attached file for image>

IDP certificates

<Please see attached file for image>

CA certificate

SP(CA PAM) need to share its public certificate and its CA certificate chain to IDP(CA SSO)
"siteminder.crt" is the IDP side certificate. It is also issued by the same CA(test-root-ca).

<Please see attached file for image>

PAM side certificates

Step3: Create Local SAML2 IDP Entity at CA SSO

<Please see attached file for image>

IDP Entity
At "Federation Entity List", the "Action" dropdown menu has "Export Metadata" option.
Select "Export Metadata" to export.

<Please see attached file for image>

export IDP entity
Once you click on the "Export" button it will create a Partnership with the name(SiteMinder2PAM) you entered and also download "SiteMinderMetadata.xml" file.

Step4: "Register CA Single Sign-On" at the PAM nodes.
Note that on pam323t2.test.lab node, "Trusted Host Name" used is "pam323t2"
On pam323t1.test.lab nonde, "pam323t1" is used for "Trusted Host Name".
You just need to ensure this is a unique value and cannot have duplicated names.

<Please see attached file for image>

User-added image
To perform this, you will need to have created the "Host Configuration Object" and "Agent Configuration Object" at the CA Single Sign-On first.

[Agent Object] agent.pam323

<Please see attached file for image>

User-added image

[Agent Configuration Object] aco.pam323

<Please see attached file for image>

User-added image
[DefaultAgentName: agent.pam323]

<Please see attached file for image>

User-added image

[Host Configuration Object] hco.sps

<Please see attached file for image>

User-added image

[Host Configuration Object content]

<Please see attached file for image>

User-added image

You will also need the CA Single Sign-On Policy Server administrator(who has privilege to register trusted host) username and password to register the "Trusted Host".

[Legacy Administrator] siteminder

<Please see attached file for image>

User-added image

[Register Trusted Hosts]

<Please see attached file for image>

User-added image
The "Trusted Host Name" is an Object Name that will be created at the CA Single Sign-On if all details are entered correctly.

Once you click on "Save Configuration" at the PAM server, Trusted Host Object gets created at the CA Single Sign-On as below.

[Trusted Host Object] Registered pam323t1 and pam323t2 (one for each node)

<Please see attached file for image>

User-added image

Note: In case if you have already registered the "Trusted Host Name" in previous attempt then you will not be able to register with the same "Trusted Host Name". If you wish to use the same name, you will need to delete the respective Trusted Host Object from CA Single Sign-On first.

Step5: Configure SAML RP Configuration at CA PAM
"Fully Qualified Hostname" is your PAM node URL. Do not use the PAM Cluster VIP FQHN!

<Please see attached file for image>

SP

Navigate to "Configured Remote SAML IdP" tab and click on "UPLOAD AN IDENTITY PROVIDER METADATA" and upload the "SiteMinderMetadata.xml" file.

<Please see attached file for image>

upload metadata

Once you upload, you will find the imported EntityID.

<Please see attached file for image>

imported entity

Double click on the "siteminder.test.lab" to check its configuration.
It is not a must to import the metadata, you can configure it manually as well.

<Please see attached file for image>

idp
Make adjustments according to your needs.
Ensure the "Certificate" field has the certificate value pasted in it.
Whatever options you choose here will need to be matched at the IDP side as well.

Step6: Export PAM Metadata
It is a bit confusing but the "DOWNLOAD METADATA" button is located at the "Configured Remote SAML IDP" screen.

<Please see attached file for image>

download metadata

You will get "XsuiteMetadataFor_siteminder.test.lab.xml" file.

Step7: Import PAM Metadata at IDP

<Please see attached file for image>

import metadata

Select "Import As : Remote Entity" and "Create New"

<Please see attached file for image>

import remote

Give the new Entity a name.

<Please see attached file for image>

Name the entity

Step8: Create AuthnContext Template
At "Fedration -> Partnership Federation -> Authentication Context Templates", click on "Create Template"

<Please see attached file for image>

authncontext

You can add as many or relevant Authentication Context you need but what is being setup in this sample is the "unspecified" and it will be set as the "Default Authentication Context URI".

<Please see attached file for image>

authentication context

What this does is, when the Authentication Request is sent from PAM, it will send "unspecified" as authentication context and CA SSO will determine the Authentication URL based on the Authentication Context Template and redirect accordingly.

Please note the last entry for "unspecified" which will use "Local Authentication" and the Authentication URL is "https://siteminder.test.lab/siteminderagent/redirectjsp/redirect.jsp"
You will need to protect this "Authentication URL" and will be covered in the later steps.

Step9: Update CA SSO Federation Partnership.

<Please see attached file for image>

update partnership
You will need to select the Remote SP from dropdown and select the correct entity.
The userstore(Active Directory) need to be added to allow those users to federate.

<Please see attached file for image>

users

<Please see attached file for image>

assertion

<Please see attached file for image>

sso
In the above step, you need to select the "AuthnContext" that we created at Step7.
Also, it is critical that you enable "Accept ACS URL in the AuthnRequest".
What happens is, if you have a clustered PAM then each node will generate AuthnRequest using its own node URL. CA SSO need to accept it so that will be added as destination and the PAM node that initiated the federation will be receiving the SAML token.

Note: It is Service Provider's responsibility to validate if the URL which it has received the SAML token matches the Destination specified in the Assertion. If the URL do not match then SP need to reject it.
So, if you do not enable "Accept ACS URL in Authnrequest" then the IDP will use its default value which may be pointing to the PAM Cluster VIP FQHN which would not match when the request is redirected to the PAM node.

<Please see attached file for image>

signature
For SAML 2.0 POST Profile, the Assertion is SIGNED by the IDP.
You must set the Signing Algorithm and any other options you may define to be agreed with SP side.
If they do not match, the SAML token will be rejected.


<Please see attached file for image>

confirm
Note the "Remote Assertion Consumer Service URL".
You must register the "Assertion Consumer Service URL" for each PAM node.
There are 2 PAM nodes so both need to be added.
https://pam323t1.test.lab/samlsp/module.php/saml/sp/saml2-acs.php/xsuite-default-sp
https://pam323t2.test.lab/samlsp/module.php/saml/sp/saml2-acs.php/xsuite-default-sp

This must be done regardless of whether you imported the Metadata or if you configured manually.

Step10. Protect the Authentication URL at IDP.
In Step9 we defined the AuthnContext URL for "unspecified" to be "https://siteminder.test.lab/siteminderagent/redirectjsp/redirect.jsp"

<Please see attached file for image>

authentication url

Create the application(realm) and assign an Authentication Scheme. In this sample, I have assigned "Login Page" which is "HTML FORM Authentication".

<Please see attached file for image>

Application

Create Resource(Rule) to authorize GET and POST method.

<Please see attached file for image>

rule

Create Role to define who will be allowed to access this URL.

<Please see attached file for image>

role

Create a policy to allow those roles to be authorized for the application.

<Please see attached file for image>

policy

Step11. Activate the Partnership

<Please see attached file for image>

activate partnership
At this point you should be able to try accessing "https://siteminder.test.lab/affwebservices/public/saml2sso?SPID=https://pam323.test.lab" and see if you get redirected to login page and if you can authenticate using AD user credentials. This is just for testing and the federation would not succeed yet.

Step12. Configure SP(PAM) nodes.
Repeat Step5 on other PAM nodes.

For example, 
pam323t1.test.lab node must use "pam323t1.test.lab" in the "Fully Qualified Hostname" field.
pam323t2.test.lab node must use "pam323t2.test.lab" in the "Fully Qualified Hostname" field.
Perform this on all the PAM nodes.
Although this appears as a "Global Setting", this part is "Local Setting".

<Please see attached file for image>

SP

<Please see attached file for image>

node2
Save configuration to complete the setup and PAM will restart the web server.

Step13. Configure users
As PAM is using AD as userstore, PAM need to import those users for SAML Authentication.

<Please see attached file for image>

User-added image

<Please see attached file for image>

User-added image

Step14. Test
Close all PAM Clients and launch again.
When you connect to PAM servers you will get to see the "Single Sign-On" button at the Login screen.

<Please see attached file for image>

User-added image

To login, click on the "Single Sign-On" button.
If you have License Terms and Conditions box enabled then you must select it as well.

A login page would be displayed and you need to login using "CA Single Sign-On" user account and password.

<Please see attached file for image>

User-added image

<Please see attached file for image>

User-added image

Additional Information

https://communities.ca.com/community/ca-security/ca-privileged-access-management/blog/2017/04/12/tech-tip-ca-privileged-access-manager-use-ca-single-sign-on-as-identity-authentication-to-ca-pam

Attachments

1559050698162000131491_sktwi15okjw43639g.png get_app
1559050696364000131491_sktwi15okjw43639f.png get_app
1559050694163000131491_sktwi15okjw43639e.png get_app
1559050691666000131491_sktwi15okjw43639d.png get_app
1559050689645000131491_sktwi15okjw43639c.png get_app
1559050687753000131491_sktwi15okjw43639b.png get_app
1559050685910000131491_sktwi15okjw43639a.png get_app
1559050684176000131491_sktwi15okjw436399.png get_app
1559050682541000131491_sktwi15okjw436398.png get_app
1559050680464000131491_sktwi15okjw436397.png get_app
1559050678282000131491_sktwi15okjw436396.png get_app
1559050676298000131491_sktwi15okjw436395.png get_app
1559050674409000131491_sktwi15okjw436394.png get_app
1559050672720000131491_sktwi15okjw436393.png get_app
1559050669879000131491_sktwi15okjw436392.png get_app
1559050668201000131491_sktwi15okjw436391.png get_app
1559050666289000131491_sktwi15okjw436390.png get_app
1559050663734000131491_sktwi15okjw43638z.png get_app
1559050661811000131491_sktwi15okjw43638y.png get_app
1559050659804000131491_sktwi15okjw43638x.png get_app
1559050657858000131491_sktwi15okjw43638w.png get_app
1559050655984000131491_sktwi15okjw43638v.png get_app
1559050654084000131491_sktwi15okjw43638u.png get_app
1559050652128000131491_sktwi15okjw43638t.png get_app
1559050649821000131491_sktwi15okjw43638s.png get_app
1559050647906000131491_sktwi15okjw43638r.png get_app
1559050645934000131491_sktwi15okjw43638q.png get_app
1559050644099000131491_sktwi15okjw43638p.png get_app
1559050641890000131491_sktwi15okjw43638o.png get_app
1559050639849000131491_sktwi15okjw43638n.png get_app
1559050637808000131491_sktwi15okjw43638m.png get_app
1559050635931000131491_sktwi15okjw43638l.png get_app
1559050634170000131491_sktwi15okjw43638k.png get_app
1559050632216000131491_sktwi15okjw43638j.png get_app
1559050630152000131491_sktwi15okjw43638i.png get_app
1559050626890000131491_sktwi15okjw43638h.png get_app
1559050624894000131491_sktwi15okjw43638g.png get_app
1559050623086000131491_sktwi15okjw43638f.png get_app
1559050621226000131491_sktwi15okjw43638e.png get_app
1559050619320000131491_sktwi15okjw43638d.png get_app
1559050617388000131491_sktwi15okjw43638c.png get_app
1559050615459000131491_sktwi15okjw43638b.png get_app
1559050611645000131491_sktwi15okjw43638a.png get_app