Using LDAP provisioned users to do SSO login in PAM using Azure as an IdP

book

Article ID: 225642

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

Let's assume there is a group of users imported to CA PAM using LDAP provisioning. CA PAM is configured to do SSO using Azure as an IdP

These same users exist as well in Azure AD with the same UserPrincipalName and attributes, and they have not been imported to CA PAM by using Azure as an IdP an Just in Time (JIT) provisioning, but LDAP connection, as stated above

Trying to do SSO login as one of those users will fail, as it is not recognized as an SSO user to log in to Azure and it is already provisioned

Cause

This is due to the Authentication type assigned to the user when imported through LDAP. If the authentication type is LDAP, which is inherited from the group, trying to do SSO will result in a failure.

Environment

CA PRIVILEGED ACCESS MANAGEMENT mulitple versions

Resolution

Edit the LDAP group to which all the imported users you are trying to do SSO as and set its authentication type to SAML. That will change the authentication type of the different users to SAML and you will be able to log in to PAM using SSO to Azure AD

Note this is not the usual way to set up SSO login against Azure AD. The procedure described in the documentation will create the Azure user in PAM on first login (it will provision it Just in Time), and it will assign it either a Global Administrator role or a Standard User role, while making it automatically part of the AzureSAMLUsers group in PAM. The present procedure will use Azure as a standard IdP and nothing will be created in PAM. The users used to do login in this manner will not have any role assigned in PAM based on Azure (roles and permissions will have to be assigned from PAM itself)