How to configure CA PAM/SAML/SSO

book

Article ID: 5794

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager (PAM)

Issue/Introduction

A ticket was opened by a customer trying to use "Encrypted Assertions" with SAML.  SAML was already working, but they wanted additional security.  This article will show how to configure SAML with "Encrypted Assertions".  It will also explain the minor change that will allow you to use SAML without "Encrypted Assertions", if that is what you wish.

 

Thanks go to Saravanan Ramalingam, who configured SSO, and Nick Amon, who figured out the problem with the Key Algorithm setting.  This was the last piece of the puzzle.

Environment

CA PAM 2.7 and SSO(Siteminder) 12.6

Resolution

The configuration of CA PAM as a SAML RP is relatively simple.  There are just a few parameters that you need to sync up with the SSO site.  You can see them on the screen below.  You can enter them yourself or upload a metadata file that you downloaded from SSO. 

<Please see attached file for image>

src="/servlet/servlet.FileDownload?file=0150c000004AKQAAA4" alt="CAPAM_SAML-RP1.JPG" width="698" height="497">

After you've entered the data above or uploaded the metadata click Edit.  The section below will open up.  If it is not checked already, check the "Require Encrypted Assersions box.  Save the configuration and you're done.

<Please see attached file for image>

src="/servlet/servlet.FileDownload?file=0150c000004AKQBAA4" alt="CAPAM_SAML-RP2.JPG" width="660" height="715">

 

Next you can see the screen captures from the SSO side.  Make sure that the fields that correspond to the CA PAM side are configured to match.  Please notice the highlighted field, Key Algorithm.  Initially it was set for rsa-1_5, which is not supported by CA PAM.  It is an old algorithm and may even be deprecated.  Once changed to rsa-oaep SAML worked right away.

<Please see attached file for image>

src="/servlet/servlet.FileDownload?file=0150c000004AKQDAA4" alt="SSOsamlConfig1.JPG" width="1009" height="680">

<Please see attached file for image>

src="/servlet/servlet.FileDownload?file=0150c000004AKQEAA4" alt="SSOsamlConfig2.JPG" width="1293" height="679">

 

With these configurations in place you can now click the Test button.  If everything is good you will see a page open like the one below.  If it is not successful you will see a similar page, with an error.  If this is not sufficient for you to figure out what is wrong then please open a ticket with CA PAM Support.  Make sure to attach the contents of the ticket, along with a downloaded Sysinfo.

<Please see attached file for image>

src="/servlet/servlet.FileDownload?file=0150c000004AKQCAA4" alt="SAMLtestSuccess.JPG" width="1222" height="774">

 

Once the test is successful you can logof and click the SSO button that now appears on the Login page.  When you do you will invoke SAML.  If you haven't already logged in to SAML you will be prompted for your SAML userid and password.  If correct you will be taken into CA PAM.  If you have previously logged into SAML successfully you will be brought right into CA PAM.

This should be sufficient for you to complete the configuration of CA PAM and SSO for the use of SAML.  If not, Support is ready to assist you.

 

 

Attachments

1558707766111000005794_sktwi1f5rjvs16qtu.jpeg get_app
1558707761344000005794_sktwi1f5rjvs16qtt.jpeg get_app
1558707759515000005794_sktwi1f5rjvs16qts.jpeg get_app
1558707757410000005794_sktwi1f5rjvs16qtr.jpeg get_app
1558707755593000005794_sktwi1f5rjvs16qtq.jpeg get_app