Symantec Privileged Access Management

  • Private Community
 View Only

 SP Configuration SAML

Higor Louback's profile image
Higor Louback posted Aug 02, 2021 01:56 PM
Hello Community, considered as Global Configuration what would be the correct information to be added in Entity ID, Fully Qualified  Hostname and Certificate Key Pair fields for the bellow environment when talking about SP Configuration when implementing PAM as Configured Remote SAML idP:

2 sites (Brazil (Primary) and Canada (Secondary) ) / 2 appliances in Brazil and 2 in Canada

Thanks 

Higor
Joseph Fry's profile image
Broadcom Employee Joseph Fry posted Aug 04, 2021 10:28 AM
The documentation is clear https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager/3-4-4/implementing/authenticate-users-logging-in-to-the-server/using-saml-2-0-to-authenticate-users/configure-ca-pam-as-an-identity-provider-idp.html

The Entity ID will be replicated between cluster members.
You will use the VIP (IP or hostname) in the Fully Qualified Hostname field
And you will use the same certificate for all cluster nodes (docs explain how to copy the cert)

The only thing that is not clear in that document is that when generating your CSR / Certificate, you want to put all of the cluster nodes in the Subject Alternative Names field so that the certificate will be valid on each of the nodes.  I generally include the fqdn AND IP of every node as well as the VIP and VIP hostname and any DNS aliases in the Subject Alternative Names on the cert to ensure that the cert is valid regardless of how the connection is made.