CA PAM, F5 Load Balancer, SSO
search cancel

CA PAM, F5 Load Balancer, SSO


Article ID: 98103


Updated On:


CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Access Manager (PAM)


We've tried a couple of load balancer configurations without luck:
1. Have the load balancer send traffic to the PAM servers. This works, however it breaks SSO logon I believe because the URL in the address bar/headers doesn't match what we send over to the SSO system. We were able to work around the issue by setting the FQDN in the SAML configuration to be the load balancer URL, however that breaks direct SSO logins to the boxes which are needed for admins.
2. The load balancer redirects to the PAM servers in round-robin fashion. This causes the URL in the address bar/headers to match during the SSO process and makes things behave, except in the PAM Client where you cannot connect and receive a message "Please make sure that you are connected to a CA Privileged Access Manager server."

We would like to go with the second option but need the PAM client to work.


Privileged Access Manager, all versions


The load balancer redirected to URL https://<PAM server>. This works fine with the browser. The PAM client uses more specific URLs to make the PAM server aware of the fact that it's the PAM client connecting, not a browser. A sample URL is "https://<Load Balancer FQDN>/client/structure.php?os=win".


Configure the load balancer to redirect using the full URL, in the above example "https://<Selected PAM node>/client/structure.php?os=win".

Additional Information

The PAM Client introduces additional checks to make sure the IP address and FQDN both match each other. If it detects any mismatch, the error documented in this KB may be obtained. Such is the case if, for instance, a cluster is configured with no external load balancer, but the FQDN of the cluster and the primary node name share the same IP in the DNS and the cluster VIP is not routable or it does not exist (in general this will not be allowed for a more than 1:1 cluster model, as the VIP is required for communication with the primary site from other sites when the primary site has more than one node). If such a condition is met, the PAM client will be able to perform updates, connect to the remote PAM to check versions, etc, but it will never be able to log in as it will always get a mismatch between the node name, its ip and the cluster name.

It is therefore recommended to make sure that always the cluster VIP is routable and matches the cluster name and there is a correct entry in the DNS servers that resolve vip to cluster FQDN and conversely. If a change is implemented to meet this need, it may be necessary for the cache to be cleared in order to get the right name resolution.