Symantec Access Management

  • Private Community
 View Only

  • 1.  CA PAM integration with SSO

    Broadcom Employee
    Posted Apr 04, 2017 05:02 AM

    Hello Everyone,

     

    I have got a setup of CA Single Sign-On and now I am trying to integrate CA Privileged Access Manager with the SSO. I have tried the steps given in the PAM Documents for the integration by creating "Application" at SSO end. However it is not working. First thing that I am confused about is that the resource needs to be "Unprotected" at SSO end as per the documentation. Then how would the user get the login page.

     

    I have tried protecting it as well but still nothing happened.

     

    Then I tried protecting PAM by creating Domain Objects (Domain, Rules, Realm, etc) and after that when I access the https://pamdns/index.php it is redirecting the User to the Login Page on the browser I can see that, however I am getting a 500 Internal server error.

     

    I have checked the logs in CA PAM but no luck. Can anyone help me with some detailed steps for this integration?

     

    Regards,

    Suvajit Das



  • 2.  Re: CA PAM integration with SSO
    Best Answer

    Posted Apr 05, 2017 12:23 AM

    Hi Suvajit,

     

    To initiate Single Sign-On from PAM, click on the 'Single Sign-On' button when you get the PAM login prompt:

     

     

    Java Applet will launch and you will be prompt to login from pamlogin.fcc:

     

     

     

    If the Federation login failed, ensure that you are connecting using PAM FQDN, check the logs from both ends and run a Test from Config >> Security:

     



  • 3.  Re: CA PAM integration with SSO

    Posted Apr 07, 2017 02:18 AM

    My apologies, I have jumped the gun earlier, presuming that you are using CA SSO as identity authentication to CA PAM.

     

    Looks like the confusion is with the following step:

    In the Default Resource Protection field, select Unprotected.

     

    It should be ‘Protected’ (default settings).



  • 4.  Re: CA PAM integration with SSO

    Posted Apr 07, 2017 11:12 AM

    I have corrected the documentation in source. The public doc will be updated shortly. Sorry for the misinformation!



  • 5.  Re: CA PAM integration with SSO

    Broadcom Employee
    Posted Apr 10, 2017 01:39 AM

    Thank you Tim for the correction. Also please include some information with the screen shots if possible.

     

    Cheers



  • 6.  Re: CA PAM integration with SSO

    Broadcom Employee
    Posted Apr 10, 2017 01:45 AM

    Hello Wong,

     

    First of all thank you for the information.

     

    I see the problem now. When I open my PAM Client, I actually don't see the SSO option only. Do you have any idea is I am missing some configurations?

     

    However in the SSO configuration I see the SSO is enabled. Bit confused why I am not able to see the SSO option. Tried uninstalling and reinstalling the client.

     

    I have inserted the images for your quick reference.PAM Client with no SSO Option

    PAM SSO Configurations

     

    Cheers,

    Suvajit



  • 7.  Re: CA PAM integration with SSO

    Posted Apr 10, 2017 02:18 AM

    Hi Suvajit,

     

    There are two areas which CA SSO can be involved (three if you include using CA SSO as Radius Server):

    • [relate to the Single Sign-On button in login screen] Use CA SSO as identity authentication to CA PAM – which requires configuring CA PAM as RP (Config >> Xsuite SAML RP Configuration) and CA SSO as IdP
    • [the use case you have before] Use CA SSO to protect specific PAM resource – illustrated in CA PAM integration with SSO


  • 8.  Re: CA PAM integration with SSO

    Broadcom Employee
    Posted Apr 10, 2017 06:31 AM

    Hello Wong,

     

    I would request you to please share some document if possible for the step by step configurations. I am kind of stuck.

     

    Regards,

    Suvajit



  • 9.  Re: CA PAM integration with SSO