SAML Integration of CA Single Sign On with CA PAM
Article ID: 131491
Updated On:
Products
CA Privileged Access Manager - Cloakware Password Authority (PA)
PAM SAFENET LUNA HSM
CA Single Sign On Secure Proxy Server (SiteMinder)
AXIOMATICS POLICY SERVER
CA Single Sign On SOA Security Manager (SiteMinder)
CA Privileged Access Manager (PAM)
CA Single Sign-On
Issue/Introduction
This article provides in depth information to assist in setting up the SAML integration.
Environment
CA Single Sign-On 12.8 SP1
CA Privileged Access Management 3.2.3
Agreement
IDP EntityID : siteminder.test.lab
SP EntityID : https://pam323.test.lab
User Directory:
Both CA SSO and CA PAM are pointing to the same Active Directory
CA Privileged Access Management 3.2.3
Agreement
IDP EntityID : siteminder.test.lab
SP EntityID : https://pam323.test.lab
User Directory:
Both CA SSO and CA PAM are pointing to the same Active Directory
Resolution
Step1: Generate Certificate
This need to be done at both side, the CA SSO(IDP) and the CA PAM(SP).
CA SSO will be signing the Assertion and CA PAM will sign the AuthnRequest.
The same certificate can be used for https as well.
Please refer to following KB for PAM server side. Same can be applied to CA SSO.
https://comm.support.ca.com/kb/pam-and-server-certificate/kb000130160
Step2: Exchange Certificates
This is usually done through exchange of MetaData(xml).
But in case if the certificate does not get imported then you will need to manually import the certificates.
IDP(CA SSO) need to share its public certificate and its CA certificate chain to SP(CA PAM)
"pam323" is the certificate from SP. "test-root-ca" is the CA certificate.
SP(CA PAM) need to share its public certificate and its CA certificate chain to IDP(CA SSO)
"siteminder.crt" is the IDP side certificate. It is also issued by the same CA(test-root-ca).
Step3: Create Local SAML2 IDP Entity at CA SSO
At "Federation Entity List", the "Action" dropdown menu has "Export Metadata" option.
Select "Export Metadata" to export.
Once you click on the "Export" button it will create a Partnership with the name(SiteMinder2PAM) you entered and also download "SiteMinderMetadata.xml" file.
Step4: "Register CA Single Sign-On" at the PAM nodes.
Note that on pam323t2.test.lab node, "Trusted Host Name" used is "pam323t2"
On pam323t1.test.lab nonde, "pam323t1" is used for "Trusted Host Name".
You just need to ensure this is a unique value and cannot have duplicated names.
To perform this, you will need to have created the "Host Configuration Object" and "Agent Configuration Object" at the CA Single Sign-On first.
[Agent Object] agent.pam323
[Agent Configuration Object] aco.pam323
[DefaultAgentName: agent.pam323]
[Host Configuration Object] hco.sps
[Host Configuration Object content]
You will also need the CA Single Sign-On Policy Server administrator(who has privilege to register trusted host) username and password to register the "Trusted Host".
[Legacy Administrator] siteminder
[Register Trusted Hosts]
The "Trusted Host Name" is an Object Name that will be created at the CA Single Sign-On if all details are entered correctly.
Once you click on "Save Configuration" at the PAM server, Trusted Host Object gets created at the CA Single Sign-On as below.
[Trusted Host Object] Registered pam323t1 and pam323t2 (one for each node)
Note: In case if you have already registered the "Trusted Host Name" in previous attempt then you will not be able to register with the same "Trusted Host Name". If you wish to use the same name, you will need to delete the respective Trusted Host Object from CA Single Sign-On first.
Step5: Configure SAML RP Configuration at CA PAM
"Fully Qualified Hostname" is your PAM node URL. Do not use the PAM Cluster VIP FQHN!
Navigate to "Configured Remote SAML IdP" tab and click on "UPLOAD AN IDENTITY PROVIDER METADATA" and upload the "SiteMinderMetadata.xml" file.
Once you upload, you will find the imported EntityID.
Double click on the "siteminder.test.lab" to check its configuration.
It is not a must to import the metadata, you can configure it manually as well.
Make adjustments according to your needs.
Ensure the "Certificate" field has the certificate value pasted in it.
Whatever options you choose here will need to be matched at the IDP side as well.
Step6: Export PAM Metadata
It is a bit confusing but the "DOWNLOAD METADATA" button is located at the "Configured Remote SAML IDP" screen.
You will get "XsuiteMetadataFor_siteminder.test.lab.xml" file.
Step7: Import PAM Metadata at IDP
Select "Import As : Remote Entity" and "Create New"
Give the new Entity a name.
Step8: Create AuthnContext Template
At "Fedration -> Partnership Federation -> Authentication Context Templates", click on "Create Template"
You can add as many or relevant Authentication Context you need but what is being setup in this sample is the "unspecified" and it will be set as the "Default Authentication Context URI".
What this does is, when the Authentication Request is sent from PAM, it will send "unspecified" as authentication context and CA SSO will determine the Authentication URL based on the Authentication Context Template and redirect accordingly.
Please note the last entry for "unspecified" which will use "Local Authentication" and the Authentication URL is "https://siteminder.test.lab/siteminderagent/redirectjsp/redirect.jsp"
You will need to protect this "Authentication URL" and will be covered in the later steps.
Step9: Update CA SSO Federation Partnership.
You will need to select the Remote SP from dropdown and select the correct entity.
The userstore(Active Directory) need to be added to allow those users to federate.
In the above step, you need to select the "AuthnContext" that we created at Step7.
Also, it is critical that you enable "Accept ACS URL in the AuthnRequest".
What happens is, if you have a clustered PAM then each node will generate AuthnRequest using its own node URL. CA SSO need to accept it so that will be added as destination and the PAM node that initiated the federation will be receiving the SAML token.
Note: It is Service Provider's responsibility to validate if the URL which it has received the SAML token matches the Destination specified in the Assertion. If the URL do not match then SP need to reject it.
So, if you do not enable "Accept ACS URL in Authnrequest" then the IDP will use its default value which may be pointing to the PAM Cluster VIP FQHN which would not match when the request is redirected to the PAM node.
For SAML 2.0 POST Profile, the Assertion is SIGNED by the IDP.
You must set the Signing Algorithm and any other options you may define to be agreed with SP side.
If they do not match, the SAML token will be rejected.
Note the "Remote Assertion Consumer Service URL".
You must register the "Assertion Consumer Service URL" for each PAM node.
There are 2 PAM nodes so both need to be added.
https://pam323t1.test.lab/samlsp/module.php/saml/sp/saml2-acs.php/xsuite-default-sp
https://pam323t2.test.lab/samlsp/module.php/saml/sp/saml2-acs.php/xsuite-default-sp
This must be done regardless of whether you imported the Metadata or if you configured manually.
Step10. Protect the Authentication URL at IDP.
In Step9 we defined the AuthnContext URL for "unspecified" to be "https://siteminder.test.lab/siteminderagent/redirectjsp/redirect.jsp"
Create the application(realm) and assign an Authentication Scheme. In this sample, I have assigned "Login Page" which is "HTML FORM Authentication".
Create Resource(Rule) to authorize GET and POST method.
Create Role to define who will be allowed to access this URL.
Create a policy to allow those roles to be authorized for the application.
Step11. Activate the Partnership
At this point you should be able to try accessing "https://siteminder.test.lab/affwebservices/public/saml2sso?SPID=https://pam323.test.lab" and see if you get redirected to login page and if you can authenticate using AD user credentials. This is just for testing and the federation would not succeed yet.
Step12. Configure SP(PAM) nodes.
Repeat Step5 on other PAM nodes.
For example,
pam323t1.test.lab node must use "pam323t1.test.lab" in the "Fully Qualified Hostname" field.
pam323t2.test.lab node must use "pam323t2.test.lab" in the "Fully Qualified Hostname" field.
Perform this on all the PAM nodes.
Although this appears as a "Global Setting", this part is "Local Setting".
Save configuration to complete the setup and PAM will restart the web server.
Step13. Configure users
As PAM is using AD as userstore, PAM need to import those users for SAML Authentication.
Step14. Test
Close all PAM Clients and launch again.
When you connect to PAM servers you will get to see the "Single Sign-On" button at the Login screen.
To login, click on the "Single Sign-On" button.
If you have License Terms and Conditions box enabled then you must select it as well.
A login page would be displayed and you need to login using "CA Single Sign-On" user account and password.
This need to be done at both side, the CA SSO(IDP) and the CA PAM(SP).
CA SSO will be signing the Assertion and CA PAM will sign the AuthnRequest.
The same certificate can be used for https as well.
Please refer to following KB for PAM server side. Same can be applied to CA SSO.
https://comm.support.ca.com/kb/pam-and-server-certificate/kb000130160
Step2: Exchange Certificates
This is usually done through exchange of MetaData(xml).
But in case if the certificate does not get imported then you will need to manually import the certificates.
IDP(CA SSO) need to share its public certificate and its CA certificate chain to SP(CA PAM)
"pam323" is the certificate from SP. "test-root-ca" is the CA certificate.
<Please see attached file for image>
<Please see attached file for image>
SP(CA PAM) need to share its public certificate and its CA certificate chain to IDP(CA SSO)
"siteminder.crt" is the IDP side certificate. It is also issued by the same CA(test-root-ca).
<Please see attached file for image>
Step3: Create Local SAML2 IDP Entity at CA SSO
<Please see attached file for image>
At "Federation Entity List", the "Action" dropdown menu has "Export Metadata" option.
Select "Export Metadata" to export.
<Please see attached file for image>
Once you click on the "Export" button it will create a Partnership with the name(SiteMinder2PAM) you entered and also download "SiteMinderMetadata.xml" file.
Step4: "Register CA Single Sign-On" at the PAM nodes.
Note that on pam323t2.test.lab node, "Trusted Host Name" used is "pam323t2"
On pam323t1.test.lab nonde, "pam323t1" is used for "Trusted Host Name".
You just need to ensure this is a unique value and cannot have duplicated names.
<Please see attached file for image>
To perform this, you will need to have created the "Host Configuration Object" and "Agent Configuration Object" at the CA Single Sign-On first.
[Agent Object] agent.pam323
<Please see attached file for image>
[Agent Configuration Object] aco.pam323
<Please see attached file for image>
[DefaultAgentName: agent.pam323]
<Please see attached file for image>
[Host Configuration Object] hco.sps
<Please see attached file for image>
[Host Configuration Object content]
<Please see attached file for image>
You will also need the CA Single Sign-On Policy Server administrator(who has privilege to register trusted host) username and password to register the "Trusted Host".
[Legacy Administrator] siteminder
<Please see attached file for image>
[Register Trusted Hosts]
<Please see attached file for image>
The "Trusted Host Name" is an Object Name that will be created at the CA Single Sign-On if all details are entered correctly.
Once you click on "Save Configuration" at the PAM server, Trusted Host Object gets created at the CA Single Sign-On as below.
[Trusted Host Object] Registered pam323t1 and pam323t2 (one for each node)
<Please see attached file for image>
Note: In case if you have already registered the "Trusted Host Name" in previous attempt then you will not be able to register with the same "Trusted Host Name". If you wish to use the same name, you will need to delete the respective Trusted Host Object from CA Single Sign-On first.
Step5: Configure SAML RP Configuration at CA PAM
"Fully Qualified Hostname" is your PAM node URL. Do not use the PAM Cluster VIP FQHN!
<Please see attached file for image>
Navigate to "Configured Remote SAML IdP" tab and click on "UPLOAD AN IDENTITY PROVIDER METADATA" and upload the "SiteMinderMetadata.xml" file.
<Please see attached file for image>
Once you upload, you will find the imported EntityID.
<Please see attached file for image>
Double click on the "siteminder.test.lab" to check its configuration.
It is not a must to import the metadata, you can configure it manually as well.
<Please see attached file for image>
Make adjustments according to your needs.
Ensure the "Certificate" field has the certificate value pasted in it.
Whatever options you choose here will need to be matched at the IDP side as well.
Step6: Export PAM Metadata
It is a bit confusing but the "DOWNLOAD METADATA" button is located at the "Configured Remote SAML IDP" screen.
<Please see attached file for image>
You will get "XsuiteMetadataFor_siteminder.test.lab.xml" file.
Step7: Import PAM Metadata at IDP
<Please see attached file for image>
Select "Import As : Remote Entity" and "Create New"
<Please see attached file for image>
Give the new Entity a name.
<Please see attached file for image>
Step8: Create AuthnContext Template
At "Fedration -> Partnership Federation -> Authentication Context Templates", click on "Create Template"
<Please see attached file for image>
You can add as many or relevant Authentication Context you need but what is being setup in this sample is the "unspecified" and it will be set as the "Default Authentication Context URI".
<Please see attached file for image>
What this does is, when the Authentication Request is sent from PAM, it will send "unspecified" as authentication context and CA SSO will determine the Authentication URL based on the Authentication Context Template and redirect accordingly.
Please note the last entry for "unspecified" which will use "Local Authentication" and the Authentication URL is "https://siteminder.test.lab/siteminderagent/redirectjsp/redirect.jsp"
You will need to protect this "Authentication URL" and will be covered in the later steps.
Step9: Update CA SSO Federation Partnership.
<Please see attached file for image>
You will need to select the Remote SP from dropdown and select the correct entity.
The userstore(Active Directory) need to be added to allow those users to federate.
<Please see attached file for image>
<Please see attached file for image>
<Please see attached file for image>
In the above step, you need to select the "AuthnContext" that we created at Step7.
Also, it is critical that you enable "Accept ACS URL in the AuthnRequest".
What happens is, if you have a clustered PAM then each node will generate AuthnRequest using its own node URL. CA SSO need to accept it so that will be added as destination and the PAM node that initiated the federation will be receiving the SAML token.
Note: It is Service Provider's responsibility to validate if the URL which it has received the SAML token matches the Destination specified in the Assertion. If the URL do not match then SP need to reject it.
So, if you do not enable "Accept ACS URL in Authnrequest" then the IDP will use its default value which may be pointing to the PAM Cluster VIP FQHN which would not match when the request is redirected to the PAM node.
<Please see attached file for image>
For SAML 2.0 POST Profile, the Assertion is SIGNED by the IDP.
You must set the Signing Algorithm and any other options you may define to be agreed with SP side.
If they do not match, the SAML token will be rejected.
<Please see attached file for image>
Note the "Remote Assertion Consumer Service URL".
You must register the "Assertion Consumer Service URL" for each PAM node.
There are 2 PAM nodes so both need to be added.
https://pam323t1.test.lab/samlsp/module.php/saml/sp/saml2-acs.php/xsuite-default-sp
https://pam323t2.test.lab/samlsp/module.php/saml/sp/saml2-acs.php/xsuite-default-sp
This must be done regardless of whether you imported the Metadata or if you configured manually.
Step10. Protect the Authentication URL at IDP.
In Step9 we defined the AuthnContext URL for "unspecified" to be "https://siteminder.test.lab/siteminderagent/redirectjsp/redirect.jsp"
<Please see attached file for image>
Create the application(realm) and assign an Authentication Scheme. In this sample, I have assigned "Login Page" which is "HTML FORM Authentication".
<Please see attached file for image>
Create Resource(Rule) to authorize GET and POST method.
<Please see attached file for image>
Create Role to define who will be allowed to access this URL.
<Please see attached file for image>
Create a policy to allow those roles to be authorized for the application.
<Please see attached file for image>
Step11. Activate the Partnership
<Please see attached file for image>
At this point you should be able to try accessing "https://siteminder.test.lab/affwebservices/public/saml2sso?SPID=https://pam323.test.lab" and see if you get redirected to login page and if you can authenticate using AD user credentials. This is just for testing and the federation would not succeed yet.
Step12. Configure SP(PAM) nodes.
Repeat Step5 on other PAM nodes.
For example,
pam323t1.test.lab node must use "pam323t1.test.lab" in the "Fully Qualified Hostname" field.
pam323t2.test.lab node must use "pam323t2.test.lab" in the "Fully Qualified Hostname" field.
Perform this on all the PAM nodes.
Although this appears as a "Global Setting", this part is "Local Setting".
<Please see attached file for image>
<Please see attached file for image>
Save configuration to complete the setup and PAM will restart the web server.
Step13. Configure users
As PAM is using AD as userstore, PAM need to import those users for SAML Authentication.
<Please see attached file for image>
<Please see attached file for image>
Step14. Test
Close all PAM Clients and launch again.
When you connect to PAM servers you will get to see the "Single Sign-On" button at the Login screen.
<Please see attached file for image>
To login, click on the "Single Sign-On" button.
If you have License Terms and Conditions box enabled then you must select it as well.
A login page would be displayed and you need to login using "CA Single Sign-On" user account and password.
<Please see attached file for image>
<Please see attached file for image>
Additional Information
Attachments
Feedback
Yes
No
Powered by
