search cancel

CA PAM as RP and SAML as IDP working for some users and not working for others

book

Article ID: 133994

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Access Manager (PAM)

Issue/Introduction

We have configured CA PAM + Okta for SSO and its working for some users and not working for some users. When we test the SAML logon from the PAM configuration page, we get a PAM-CMN-0988 message similar to the following:


PAM-CMN-0988: The validation of the SAML assertion of user identity <username> from remote IdP http://www.okta.com/xxxxxxxxxxxxxxxxx succeeded but mapping the user to a SAML-enabled CA PAM account failed.

Cause

The problem users were configured with their email address as username in the SAML IdP. In PAM they were imported from Active Directory, but none of the attributes that qualify as user name were set to the email address in AD.

Environment

Applies to any supported PAM release as of July 2019.

Resolution

The user name used for SAML authentication did not match DN, userPrincipalName or sAMAccountName of the LDAP user, for which SAML authentication did not work. Changing the login name to userPrincipalName in the IdP resolved the problem.

In general PAM tries to match the user name provided for SAML authentication with the following attributes imported from AD:


Distinguished Name

sAMAccountName

userPrincipalName


There is a fourth attribute saved in PAM called "short name" that PAM compares the username with. If you have sAMAccountName or userPrincipalName configured as the unique attribute in the LDAP configuration in PAM, the short name will match the configured unique attribute. If neither one is defined as unique attribute, the short name will be derived from the DN as the substring between the first equal sign and the first comma, i.e. it should be equal to the CN (common name) of the user in AD.