Symantec Privileged Access Management

Expand all | Collapse all

Azure AD SSO - PAM using IWA (Integrated windows authentication )

  • 1.  Azure AD SSO - PAM using IWA (Integrated windows authentication )

    Posted 04-26-2021 10:19 AM
    Hi SME's,

    We have setup Azure AD as IDP for enabling SSO for PAM cluster in Azure . We noticed that PAM automatically takes Windows ID for login and doesn't give any option to choose id . This is creating issue for our environment as the id used for PAM authentication is different then the id used for Windows login. Kindly let me know if this is a known issue and if there is any work around available for this .

    Regards
    Pankaj Kumar


  • 2.  RE: Azure AD SSO - PAM using IWA (Integrated windows authentication )

    Posted 04-27-2021 11:48 AM
    @Ralf Prigl @Joseph Lutz @Reatesh Sanghi @Joseph Fry @AndreasMuller Can you guys check this query ?​​​​​


  • 3.  RE: Azure AD SSO - PAM using IWA (Integrated windows authentication )

    Broadcom Employee
    Posted 04-27-2021 12:42 PM
    I'm not entirely sure what your asking.

    It sounds like you want to use SAML to authenticate users to existing local PAM user accounts?  I don't believe this is possible as it would provide multiple authentication paths for a single user account.

    When a user logs into PAM with SAML, it should create a new PAM user account for that user... even if the username is the same, it should still create a new account of a different type (local vs SAML).

    NOTE: I haven't configured this myself, so I am only about 80% certain on the accuracy of what I have said.  Someone else may have firsthand knowledge.


  • 4.  RE: Azure AD SSO - PAM using IWA (Integrated windows authentication )

    Posted 04-28-2021 05:44 AM
    Hi @Joseph Fry,

    We have a different Azure AD id for PAM users . So user logs into system with a standard Azure AD id but logs into PAM client with a different Azure AD id (Privilege ) ​.We are trying to authenticate with SAML only with Azure AD id . But it takes windows id to login which is different than this id intended for PAM login. We did some troubleshooting and found that IWA (integrated windows authentication ) is used by Azure AD and PAM's embedded browser does not give option to chose the id to login. It directly takes  the windows id ( as system is joined to domain )It works fine in Chrome and Edge browsers  but as you know users need to have PAM client for accessing servers .


  • 5.  RE: Azure AD SSO - PAM using IWA (Integrated windows authentication )

    Broadcom Employee
    Posted 04-28-2021 10:16 AM
    Thanks for clarifying.

    One thing to look at is the configuration of WIA and what user agents are supported: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-browser-wia.  Its possible that Chrome and Edge are simply not in the approve user agents list, and therefore WIA is not enabled for them, while it is for the PAM client user agent (not sure what the PAM client useragent looks like).

    It may also be a defect... I would go ahead and get a ticket open.

    That said, there is really no reason to have users log into PAM using an alternate AD credential.  Access to PAM itself isn't necessarily privileged; PAM will assert necessary privileged credentials for the users.  In fact, many customers deploy PAM specifically to eliminate the need for users to have their own privileged accounts.


  • 6.  RE: Azure AD SSO - PAM using IWA (Integrated windows authentication )

    Posted 04-28-2021 11:59 AM
    Hi @Joseph Fry,

    Thanks for input . However there is option disable/enable IWA for chrome and IE ( most probably will work for edge too)

    https://sso.cisco.com/autho/msgs/disable_IWA.htm

    Also found below for Azure AD

    https://docs.microsoft.com/en-us/aspnet/web-api/overview/security/integrated-windows-authentication


    Actually it may vary from clients to clients , how they want to manage their privileged access :)

    Thanks for support