CA Privileged Access Manager Tech Tip by Kelly Wong, Principal Support Engineer for 12th April 2017
The scope of the document is to provide the necessary steps to configure the federation partnership to achieve SSO (Single-Sign-On) between CA Single Sign-On 12.52 SP1, acting as the Identity Provider (IDP), and CA PAM 2.8 acting as the Service Provider (SP) with CA Directory as user store.
- CA PAM: Config >> 3rd Party >> Add LDAP Domain
- CA Single Sign-On: Infrastructure >> Directory >> User Directories
Create the same user directory in CA Single Sign-On
- CA PAM: Config >> Security >> Xsuite SAML RP Configuration
Define SAML RP entity details – Entity ID, Fully Qualified Hostname and Certificate Key Pair
(default: gkcert.crt – Block Algorithm: tripledes, Key Algorithm: rsa-oaep)
- CA Single Sign-On: Federation >> Partnership Federation >> Entities
Create local SAML2 IdP entity for CA Single Sign-On
Create remote SAML2 SP entity (with the same Entity ID defined in Step 3) for CA PAM
Assertion Consumer Service URL: https://<PAM FQDN>/samlsp/module.php/saml/sp/saml2-acs.php/xsuite-default-sp
- CA Single Sign-On: Federation >> Partnership Federation >> Partnership
Create ‘SAML2 IDP -> SP’ partnership with the entities created in Step 4 and activate the partnership
[Details setting up SAML 2 partnership, please refer to Getting Started with a Simple Partnership] - CA PAM: Config >> Security >> Xsuite SAML RP Configuration
‘Add An Identity Provider’ with the details you defined in Step 5 and save the configuration
- CA PAM: Users >> Manage Groups >> Import LDAP Group
Import selected LDAP user group (with ‘SAML’ Authentication Type) that includes the users authorized to federate
[‘SAML’ authentication type option only appears when you have SAML Identity Provider defined in CA PAM] - CA PAM: Config >> Security
Login to CA PAM using FQDN and run a test
Successful outcome:
- Once tested successful, authorized users can federate to CA PAM via 'Single Sign-On' authentication
Troubleshooting
Error:
State information lost
Resolution:
Login to CA PAM using FQDN and it is the same is associated with the Remote Assertion Consumer Service URL defined in CA Single Sign-On
[VIP FQDN is used on both if cluster is turned on]
Error:
AuthnRequest with AuthnContexts is not supported
Resolution:
Check the “Ignore RequestedAuthnContext” option in Federation Partnership to disregard the <RequestAuthnContext> element in the AuthnRequest message it receives from CA PAM
OR
clear the Authentication Contexts selection from CA PAM: Config >> Security
OR
create and use Authentication Context Template that matches the Authentication Context URI from CA PAM --
CA PAM -- urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
Error:
Failed to decrypt XML element
Xsuite As SAML RP Log (Verbose):
Resolution:
Ensure CA PAM and CA Single Sign-On are sharing the same certificate to encrypt and decrypt. Also, the certificate specifications are correctly defined in CA Single Sign-On
Error:
Session: ‘xsuite-default-sp’ not valid because it is expired
Xsuite As SAML RP Log (Verbose):
Resolution:
Ensure that CA PAM and CA Single Sign-On server time are synchronized because there’s a validity duration on the assertion