Symantec Privileged Access Management

Expand all | Collapse all

CA PAM and SSO integration is not proper. Requirement: PAM MFA (Strong Authentication)

Jump to Best Answer
  • 1.  CA PAM and SSO integration is not proper. Requirement: PAM MFA (Strong Authentication)

    Posted 04-02-2020 11:31 AM
    Hi ,

    I am trying to implement multifactor authentication for PAM, so trying to integrate CA SSO (Siteminder) with PAM before integrating SSO with Advance/Strong Authentication.

    I have completed the integration steps for CA SSO(Siteminder) and CA PAM production as given in below support url.

    CA Single Sign-On Integration
    Broadcom remove preview
    CA Single Sign-On Integration
    Before you set up Layer7 SiteMinder (formerly CA Single Sign-On) on PAM, configure these objects in the SiteMinder Administrative UI. As a security administrator, you can integrate Privileged Access Manager with (formerly CA Single Sign-On). You can use as a second layer of protection for Privileged Access Manager .
    View this on Broadcom >


    I am also able to get SSO page/prompt for authentication while trying PAM application url.

    But the issue is after SSO login successful, I am again getting PAM login page where I have to login again, which is not SSO behavior. Could you please help me for this to get a proper SSO configuration for PAM, where once I login to SSO get access to PAM Admin UI directly on
    browser.

    I am using Active Directory as user store and integrated Active directory with PAM properly as given for PAM LDAP integration.

    Thank you,
    Kind Regards,
    Samarendra

    ------------------------------
    Thank you,
    Kind Regards,
    Samarendra Routray
    ------------------------------


  • 2.  RE: CA PAM and SSO integration is not proper. Requirement: PAM MFA (Strong Authentication)
    Best Answer

    Posted 04-04-2020 05:56 PM
    Samarendra

    To utilize Siteminder authentication  your best option is to use SAML configuration within CA PAM and configure Siteminder as the IDP. The only problem I see with this when using Adv Authentication integration is that you would only be able to do this with the IDP initiated authentication. you can create a IDP authentication page which will go through the Adv Authentication workflow but  the SAML authentication page in CA PAM cannot be updated to support the workflow when using RP/SP initiated authentication. So this would cause a problem using the CA PAM client which would use an RP/SP initiated SAML authentication...

    Utilizing the Siteminder Integration inside CA PAM would allow you to use the Adv Auth work flow but would end up with an extra authentication since the Siteminder Integration in CA PAM does not replace the standard authentication. It adds to the authentication. So the end result of using this would be ... Open CA PAM... A redirect occurs and you go through your Siteminder Authentication with Adv Auth then you are prompted again for your authentication into CA PAM. entering your LDAP user and Passworsd.. It is an awkward workflow.. The best use-case for using the Siteminder integration would be step-up authentication for extra protected pages within CA PAM .

    Joe Lutz