A ticket was opened by a customer trying to use "Encrypted Assertions" with SAML. SAML was already working, but they wanted additional security. This article will show how to configure SAML with "Encrypted Assertions". It will also explain the minor change that will allow you to use SAML without "Encrypted Assertions", if that is what you wish.
Thanks go to Saravanan Ramalingam, who configured SSO, and Nick Amon, who figured out the problem with the Key Algorithm setting. This was the last piece of the puzzle.
CA PAM 2.7 and SSO(Siteminder) 12.6
The configuration of CA PAM as a SAML RP is relatively simple. There are just a few parameters that you need to sync up with the SSO site. You can see them on the screen below. You can enter them yourself or upload a metadata file that you downloaded from SSO.
<Please see attached file for image>src="/servlet/servlet.FileDownload?file=0150c000004AKQAAA4" alt="CAPAM_SAML-RP1.JPG" width="698" height="497">
After you've entered the data above or uploaded the metadata click Edit. The section below will open up. If it is not checked already, check the "Require Encrypted Assersions box. Save the configuration and you're done.
<Please see attached file for image>src="/servlet/servlet.FileDownload?file=0150c000004AKQBAA4" alt="CAPAM_SAML-RP2.JPG" width="660" height="715">
Next you can see the screen captures from the SSO side. Make sure that the fields that correspond to the CA PAM side are configured to match. Please notice the highlighted field, Key Algorithm. Initially it was set for rsa-1_5, which is not supported by CA PAM. It is an old algorithm and may even be deprecated. Once changed to rsa-oaep SAML worked right away.
<Please see attached file for image>src="/servlet/servlet.FileDownload?file=0150c000004AKQDAA4" alt="SSOsamlConfig1.JPG" width="1009" height="680">
<Please see attached file for image>src="/servlet/servlet.FileDownload?file=0150c000004AKQEAA4" alt="SSOsamlConfig2.JPG" width="1293" height="679">
With these configurations in place you can now click the Test button. If everything is good you will see a page open like the one below. If it is not successful you will see a similar page, with an error. If this is not sufficient for you to figure out what is wrong then please open a ticket with CA PAM Support. Make sure to attach the contents of the ticket, along with a downloaded Sysinfo.
<Please see attached file for image>src="/servlet/servlet.FileDownload?file=0150c000004AKQCAA4" alt="SAMLtestSuccess.JPG" width="1222" height="774">
Once the test is successful you can logof and click the SSO button that now appears on the Login page. When you do you will invoke SAML. If you haven't already logged in to SAML you will be prompted for your SAML userid and password. If correct you will be taken into CA PAM. If you have previously logged into SAML successfully you will be brought right into CA PAM.
This should be sufficient for you to complete the configuration of CA PAM and SSO for the use of SAML. If not, Support is ready to assist you.