Symantec Privileged Access Management

  • Private Community
 View Only

  • 1.  SP Configuration SAML

    Posted Aug 04, 2021 11:16 AM

    Thanks but if I have a VIP in SITE 1 and VIP in site 2, which VIP should I use if it is replicated?

     

    Higor Louback

    Security Analyst, Identity Management, DXC Security

    DXC Technology

     

    higor.louback@dxc.com

      

    DXC.com / Twitter / Facebook / LinkedIn

     



  • 2.  RE: SP Configuration SAML

    Broadcom Employee
    Posted Aug 05, 2021 02:08 AM
    When you use the PAM Client or Browser to access your PAM server, you should have already chosen which VIP to connect to.
    And the VIP would have redirected to whichever selected node which would generate the AuthnRequest (SAMLRequest) and send to the IDP.

    In the PAM node, at the "Configuration - Security - SAML - SP Configuration - Configuration" you would have to enter the PAM node's FQHN.
    PAM will generate AuthnRequest using that FQHN so the IDP will know where to POST the SAML Assertion.
    This means each PAM node will have their unique FQHN.

    At the IDP, you will need to register all the FQHN as a valid as Assertion Consumer Service (ACS)
    AND
    IDP should be configured to accept ACS in the request.

    So when the IDP received the AuthnRequest, it has Assertion Consumer Service URL as the PAM node FQHN that generated it.
    After IDP generates the Assertion, it is POSTed to the accepted ACS URL.

    As a result, the PAM node that generated the SAMLRequest gets the SAMLResponse and process the login.
    Original Message


  • 3.  RE: SP Configuration SAML

    Broadcom Employee
    Posted Aug 05, 2021 09:18 AM
    Sung... I believe his question is about configuring PAM as the IDP and what to enter in the "Fully Qualified Hostname" field if he wants the entire cluster (not just the primary site) to be used.

    I suspect the solution to that would be to use a load balancer or just a DNS round robin to create a VIP in front of the entire cluster and enter that.  Of course this IP/hostname/fqdn would need to be listed as a subject alternative name in the certificate on all of your nodes.
    Original Message


  • 4.  RE: SP Configuration SAML

    Posted Aug 05, 2021 09:39 AM

    My PAM is going to work as relying party (RP) and third party IAM solution as Identity Provider (IdP)

     

    I talked with support and I will use in Entity ID the following Text string: MyPAM_RP (it will be replicated to primary and second site). In Fully Qualified Hostname my VIP address for the site.

     

    Certificates should have Private Key and Alternative names as described in doc.

     

    I think makes sense now.

     

    Just to confirm I don´t need to stop my cluster, right?

     

    Higor Louback

    Security Analyst, Identity Management, DXC Security

    DXC Technology

     

    higor.louback@dxc.com

      

    DXC.com / Twitter / Facebook / LinkedIn

     




    Original Message


  • 5.  RE: SP Configuration SAML

    Broadcom Employee
    Posted Aug 05, 2021 12:05 PM
    Hi Higor, Correct, you don't need to stop the cluster. The general requirement is that PAM users use the address that is configured as Fully Qualified Domain name in the SP configuration to access PAM. See also https://knowledge.broadcom.com/external/article?articleId=124044.
    Original Message


  • 6.  RE: SP Configuration SAML

    Posted Aug 05, 2021 04:54 PM

    Thanks all.. very helpful as usual.

     

    Higor Louback

    Security Analyst, Identity Management, DXC Security

    DXC Technology

     

    higor.louback@dxc.com

      

    DXC.com / Twitter / Facebook / LinkedIn

     




    Original Message