We have two PAM cluster sites and users typically access PAM using one of the two site VIPs. We don't have external load balancers and only use the internal load balancers. We can't get SAML authentication to work when using the site VIPs.
Release : 3.4
Component : PRIVILEGED ACCESS MANAGEMENT
The PAM internal load balancer redirects rather than forwards connections to a specific PAM node. The URL that actually is used for the PAM server connection is not the VIP, but the address of the node that the user gets connected to. This causes an address mismatch resulting in a "State information lost" error, see KB 124044.
The best way to configure SAML authentication is to use an external load balancer that forwards PAM client connections directly to one of the cluster nodes, not to a site VIP. The Identity Provider (IdP) can be configured with the external load balancer address, and one configuration/application on the IdP side will allow authentication to any PAM node this way. All cluster nodes should use the same certificate, with all nodes addresses included in the Subject Alternate Names list, as discussed in KB 124044. In this case you always should access the VIP for SAML authentication to PAM. It may fail, if you try to access one of the cluster nodes directly.
If you don't have an external load balancer, and want to use PAM cluster site VIPs rather than individual node addresses, note that the PAM internal load balancer redirects to a specific node in the site and you need to have this node's name configured as RP in Okta. You should be able to configure multiple host names for a SAML RP configuration in Okta.
Alternatively, you can configure each PAM server as a separate Relying Party (RP) in the IdP. Export the metadata for each and import them one by one on the Configuration > Security > SAML > SP Configuration page in the PAM UI under "Configured Remote SAML IdP". Change the friendly name to be representative of the individual cluster node. On the SP Configuration page use each node address as Fully Qualified Hostname. This results in the following behavior:
- PAM user enters the site VIP as address.
- The PAM internal load balancer redirects to one of the nodes in the site.
- The user will see the address of the node he is connected to. Since multiple IdPs are configured, the user has to pick the one to use from a drop-down list. He selects the one matching the node name.
- The IdP will receive the SAML request for the application that is defined for this specific node, and the node will accept the response, since it's right for this node.
Okta does not allow upload of a metadata file from the Relying Party (RP).The Single Sign On URL, as well as Recipient and Destination URL, in the Okta application have to be configured manually. The correct URL can be retrieved from the metadata file that you should download from PAM, even though you cannot upload it to Okta. The format of the URL is https://<PAM Server>/samlsp/module.php/saml/sp/saml2-acs.php/xsuite-default-sp.
Also, PAM expects the following attributes to be provided in the SAML response:
* only needed for Just In Time (JIT) provisioning, see documentation page Configure PAM as the Relying Party (RP)