Symantec Privileged Access Management

Good day,
I have a question regarding integration of CA PAM 3.3 with Identity solution (CA or other Vendors).
My client would like to centralize users and roles management through his own Identity solution (on this stage he didn't provide me information regarding which Identity solution is in use).
My questions are:
- There is a way to integrate PAM with Identity solutions in order to allow the deployment of users and correlated roles from Identity to PAM?
- If so, in which way? (SAML, REST API,...).

Thanks for your support.

Andrea Gimmelli

Hi Andrea,
Please see the following doc link which describes how to set up PAM as an Relying Party, which will consume an assertion generated by in IdP.   I hope this answers your questions. 
https://docops.ca.com/ca-privileged-access-manager/3-3/EN/implementing/configuring-your-server/authenticate-users-logging-in-to-the-server/using-saml-2-0-to-authenticate-users

Regards,
Margaret
Original Message:
Sent: 08-08-2019 11:08 AM
From: Andrea Gimmelli
Subject: CA PAM integration with Identity Solution

Good day,
I have a question regarding integration of CA PAM 3.3 with Identity solution (CA or other Vendors).
My client would like to centralize users and roles management through his own Identity solution (on this stage he didn't provide me information regarding which Identity solution is in use).
My questions are:
- There is a way to integrate PAM with Identity solutions in order to allow the deployment of users and correlated roles from Identity to PAM?
- If so, in which way? (SAML, REST API,...).

Thanks for your support.

Andrea Gimmelli

Hello Margaret,
Thanks for your fast reply.
If I understand correctly, with a SAML configuration of PAM as RP, I can delegate the authentication of a user to an Identity Provider and I can also modify the PAM's groups where the user resides (e.g. move a user from a group to another). Is it correct?
Also, checking the prerequisites, i notice that the user must already exist in RP and IdP in order to allow the authentication. With this configuration I cannot deploy a new user or group in PAM from the Identity Provider but I can manage them, Is it correct?

Thanks again for your support.
Original Message:
Sent: 08-08-2019 01:55 PM
From: Margaret Anttila
Subject: CA PAM integration with Identity Solution

Hi Andrea,
Please see the following doc link which describes how to set up PAM as an Relying Party, which will consume an assertion generated by in IdP.   I hope this answers your questions. 
https://docops.ca.com/ca-privileged-access-manager/3-3/EN/implementing/configuring-your-server/authenticate-users-logging-in-to-the-server/using-saml-2-0-to-authenticate-users

Regards,
Margaret
Original Message:
Sent: 08-08-2019 11:08 AM
From: Andrea Gimmelli
Subject: CA PAM integration with Identity Solution

Good day,
I have a question regarding integration of CA PAM 3.3 with Identity solution (CA or other Vendors).
My client would like to centralize users and roles management through his own Identity solution (on this stage he didn't provide me information regarding which Identity solution is in use).
My questions are:
- There is a way to integrate PAM with Identity solutions in order to allow the deployment of users and correlated roles from Identity to PAM?
- If so, in which way? (SAML, REST API,...).

Thanks for your support.

Andrea Gimmelli

​Andrea

There are a couple things that might help you out. We do use LDAP groups to automatically provision users to PAM and they gain role based privileges and access through that LDAP group. So you can effectively provisioning and de-provision users by adding and removing these users in your existing LDAP/AD.  We also do have an external API interface to further integrate and manage PAM from an Identity Manager Service. CA does sell its own Identity Manager product which has already integrated using this API. You can more details from our manuals on what APIs are available
https://docops.ca.com/ca-privileged-access-manager/3-2-4/en/programming/external-api-for-integrating-applications
If you have in-depth questions you may want to engage a sales representative for setting up a demonstration.

Joe

Original Message:
Sent: 08-09-2019 05:17 AM
From: Andrea Gimmelli
Subject: CA PAM integration with Identity Solution

Hello Margaret,
Thanks for your fast reply.
If I understand correctly, with a SAML configuration of PAM as RP, I can delegate the authentication of a user to an Identity Provider and I can also modify the PAM's groups where the user resides (e.g. move a user from a group to another). Is it correct?
Also, checking the prerequisites, i notice that the user must already exist in RP and IdP in order to allow the authentication. With this configuration I cannot deploy a new user or group in PAM from the Identity Provider but I can manage them, Is it correct?

Thanks again for your support.
Original Message:
Sent: 08-08-2019 01:55 PM
From: Margaret Anttila
Subject: CA PAM integration with Identity Solution

Hi Andrea,
Please see the following doc link which describes how to set up PAM as an Relying Party, which will consume an assertion generated by in IdP.   I hope this answers your questions. 
https://docops.ca.com/ca-privileged-access-manager/3-3/EN/implementing/configuring-your-server/authenticate-users-logging-in-to-the-server/using-saml-2-0-to-authenticate-users

Regards,
Margaret
Original Message:
Sent: 08-08-2019 11:08 AM
From: Andrea Gimmelli
Subject: CA PAM integration with Identity Solution

Good day,
I have a question regarding integration of CA PAM 3.3 with Identity solution (CA or other Vendors).
My client would like to centralize users and roles management through his own Identity solution (on this stage he didn't provide me information regarding which Identity solution is in use).
My questions are:
- There is a way to integrate PAM with Identity solutions in order to allow the deployment of users and correlated roles from Identity to PAM?
- If so, in which way? (SAML, REST API,...).

Thanks for your support.

Andrea Gimmelli

Hello everyone,
As you told me, there are different way in order to integrate PAM with Identity solution.
I will check with the customer which one he prefer.

Thanks everyone for your help.

Regards,
Andrea Gimmelli
Original Message:
Sent: 08-09-2019 09:08 AM
From: joseph lutz
Subject: CA PAM integration with Identity Solution

​Andrea

There are a couple things that might help you out. We do use LDAP groups to automatically provision users to PAM and they gain role based privileges and access through that LDAP group. So you can effectively provisioning and de-provision users by adding and removing these users in your existing LDAP/AD.  We also do have an external API interface to further integrate and manage PAM from an Identity Manager Service. CA does sell its own Identity Manager product which has already integrated using this API. You can more details from our manuals on what APIs are available
https://docops.ca.com/ca-privileged-access-manager/3-2-4/en/programming/external-api-for-integrating-applications
If you have in-depth questions you may want to engage a sales representative for setting up a demonstration.

Joe

Original Message:
Sent: 08-09-2019 05:17 AM
From: Andrea Gimmelli
Subject: CA PAM integration with Identity Solution

Hello Margaret,
Thanks for your fast reply.
If I understand correctly, with a SAML configuration of PAM as RP, I can delegate the authentication of a user to an Identity Provider and I can also modify the PAM's groups where the user resides (e.g. move a user from a group to another). Is it correct?
Also, checking the prerequisites, i notice that the user must already exist in RP and IdP in order to allow the authentication. With this configuration I cannot deploy a new user or group in PAM from the Identity Provider but I can manage them, Is it correct?

Thanks again for your support.
Original Message:
Sent: 08-08-2019 01:55 PM
From: Margaret Anttila
Subject: CA PAM integration with Identity Solution

Hi Andrea,
Please see the following doc link which describes how to set up PAM as an Relying Party, which will consume an assertion generated by in IdP.   I hope this answers your questions. 
https://docops.ca.com/ca-privileged-access-manager/3-3/EN/implementing/configuring-your-server/authenticate-users-logging-in-to-the-server/using-saml-2-0-to-authenticate-users

Regards,
Margaret
Original Message:
Sent: 08-08-2019 11:08 AM
From: Andrea Gimmelli
Subject: CA PAM integration with Identity Solution

Good day,
I have a question regarding integration of CA PAM 3.3 with Identity solution (CA or other Vendors).
My client would like to centralize users and roles management through his own Identity solution (on this stage he didn't provide me information regarding which Identity solution is in use).
My questions are:
- There is a way to integrate PAM with Identity solutions in order to allow the deployment of users and correlated roles from Identity to PAM?
- If so, in which way? (SAML, REST API,...).

Thanks for your support.

Andrea Gimmelli