Symantec Privileged Access Management

 View Only

Tech Tip - CA Privileged Access Manager: Use CA Single Sign-On as Identity Authentication to CA PAM

By wonsa03 posted Apr 12, 2017 01:47 AM


CA Privileged Access Manager Tech Tip by Kelly Wong, Principal Support Engineer for 12th April 2017

The scope of the document is to provide the necessary steps to configure the federation partnership to achieve SSO (Single-Sign-On) between CA Single Sign-On 12.52 SP1, acting as the Identity Provider (IDP), and CA PAM 2.8 acting as the Service Provider (SP) with CA Directory as user store.


  1. CA PAM: Config >> 3rd Party >> Add LDAP Domain

  2. CA Single Sign-On: Infrastructure >> Directory >> User Directories
    Create the same user directory in CA Single Sign-On
  3. CA PAM: Config >> Security >> Xsuite SAML RP Configuration
    Define SAML RP entity details – Entity ID, Fully Qualified Hostname and Certificate Key Pair
    (default: gkcert.crt – Block Algorithm: tripledes, Key Algorithm: rsa-oaep)
  4. CA Single Sign-On: Federation >> Partnership Federation >> Entities
    Create local SAML2 IdP entity for CA Single Sign-On

    Create remote SAML2 SP entity (with the same Entity ID defined in Step 3) for CA PAM
    Assertion Consumer Service URL: https://<PAM FQDN>/samlsp/module.php/saml/sp/saml2-acs.php/xsuite-default-sp
  5. CA Single Sign-On: Federation >> Partnership Federation >> Partnership
    Create ‘SAML2 IDP -> SP’ partnership with the entities created in Step 4 and activate the partnership

    [Details setting up SAML 2 partnership, please refer to Getting Started with a Simple Partnership]
  6. CA PAM: Config >> Security >> Xsuite SAML RP Configuration
    ‘Add An Identity Provider’ with the details you defined in Step 5 and save the configuration
  7. CA PAM: Users >> Manage Groups >> Import LDAP Group
    Import selected LDAP user group (with ‘SAML’ Authentication Type) that includes the users authorized to federate

    [‘SAML’ authentication type option only appears when you have SAML Identity Provider defined in CA PAM]
  8. CA PAM: Config >> Security
    Login to CA PAM using FQDN and run a test

    Successful outcome:

  9. Once tested successful, authorized users can federate to CA PAM via 'Single Sign-On' authentication





State information lost



Login to CA PAM using FQDN and it is the same is associated with the Remote Assertion Consumer Service URL defined in CA Single Sign-On

[VIP FQDN is used on both if cluster is turned on]




AuthnRequest with AuthnContexts is not supported



Check the “Ignore RequestedAuthnContext” option in Federation Partnership to disregard the <RequestAuthnContext> element in the AuthnRequest message it receives from CA PAM

clear the Authentication Contexts selection from CA PAM: Config >> Security


create and use Authentication Context Template that matches the Authentication Context URI from CA PAM --

CA PAM -- urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified




Failed to decrypt XML element

Xsuite As SAML RP Log (Verbose):


Ensure CA PAM and CA Single Sign-On are sharing the same certificate to encrypt and decrypt. Also, the certificate specifications are correctly defined in CA Single Sign-On




Session: ‘xsuite-default-sp’ not valid because it is expired

Xsuite As SAML RP Log (Verbose):



Ensure that CA PAM and CA Single Sign-On server time are synchronized because there’s a validity duration on the assertion


1 comment