Thanks for clarifying.
One thing to look at is the configuration of WIA and what user agents are supported:
https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-browser-wia. Its possible that Chrome and Edge are simply not in the approve user agents list, and therefore WIA is not enabled for them, while it is for the PAM client user agent (not sure what the PAM client useragent looks like).
It may also be a defect... I would go ahead and get a ticket open.
That said, there is really no reason to have users log into PAM using an alternate AD credential. Access to PAM itself isn't necessarily privileged; PAM will assert necessary privileged credentials for the users. In fact, many customers deploy PAM specifically to eliminate the need for users to have their own privileged accounts.
Original Message:
Sent: 04-28-2021 05:43 AM
From: Pankaj Kumar
Subject: Azure AD SSO - PAM using IWA (Integrated windows authentication )
Hi @Joseph Fry,
We have a different Azure AD id for PAM users . So user logs into system with a standard Azure AD id but logs into PAM client with a different Azure AD id (Privilege ) .We are trying to authenticate with SAML only with Azure AD id . But it takes windows id to login which is different than this id intended for PAM login. We did some troubleshooting and found that IWA (integrated windows authentication ) is used by Azure AD and PAM's embedded browser does not give option to chose the id to login. It directly takes the windows id ( as system is joined to domain )It works fine in Chrome and Edge browsers but as you know users need to have PAM client for accessing servers .
Original Message:
Sent: 04-27-2021 12:41 PM
From: Joseph Fry
Subject: Azure AD SSO - PAM using IWA (Integrated windows authentication )
I'm not entirely sure what your asking.
It sounds like you want to use SAML to authenticate users to existing local PAM user accounts? I don't believe this is possible as it would provide multiple authentication paths for a single user account.
When a user logs into PAM with SAML, it should create a new PAM user account for that user... even if the username is the same, it should still create a new account of a different type (local vs SAML).
NOTE: I haven't configured this myself, so I am only about 80% certain on the accuracy of what I have said. Someone else may have firsthand knowledge.
Original Message:
Sent: 04-26-2021 10:19 AM
From: Pankaj Kumar
Subject: Azure AD SSO - PAM using IWA (Integrated windows authentication )
Hi SME's,
We have setup Azure AD as IDP for enabling SSO for PAM cluster in Azure . We noticed that PAM automatically takes Windows ID for login and doesn't give any option to choose id . This is creating issue for our environment as the id used for PAM authentication is different then the id used for Windows login. Kindly let me know if this is a known issue and if there is any work around available for this .
Regards
Pankaj Kumar