Symantec Privileged Access Management

Morning

We are currently reviewing our current set-up and one area we are looking at is the 2 factor authentication.

Currently only RSA is supported, are there any plans to bring on board alternative products like google authenticator?

Thanks,

M

Hello,

You are correct, currently as of now out-of-the-box only RSA is authenticated is supported.

But there are customization options for which you would need to work with the field services team to know more on this.

Thanks,
Reatesh.

------------------------------
Principal Support Engineer
Broadcom
------------------------------

Original Message:
Sent: 03-30-2020 04:44 AM
From: S3curity Guy
Subject: 2 factor authentication - additional options?

Morning

We are currently reviewing our current set-up and one area we are looking at is the 2 factor authentication.

Currently only RSA is supported, are there any plans to bring on board alternative products like google authenticator?

Thanks,

M

Thanks Reatesh, would you happen to know how we engage with these teams? Would it normally be via an account manager?
Original Message:
Sent: 03-30-2020 06:26 AM
From: Reatesh Sanghi
Subject: 2 factor authentication - additional options?

Hello,

You are correct, currently as of now out-of-the-box only RSA is authenticated is supported.

But there are customization options for which you would need to work with the field services team to know more on this.

Thanks,
Reatesh.

------------------------------
Principal Support Engineer
Broadcom

Original Message:
Sent: 03-30-2020 04:44 AM
From: S3curity Guy
Subject: 2 factor authentication - additional options?

Morning

We are currently reviewing our current set-up and one area we are looking at is the 2 factor authentication.

Currently only RSA is supported, are there any plans to bring on board alternative products like google authenticator?

Thanks,

M

Yes, you will need to work with the account management team for engaging the on field services team.
Thanks,
Reatesh.

------------------------------
Principal Support Engineer
Broadcom
------------------------------

Original Message:
Sent: 03-30-2020 08:33 AM
From: S3curity Guy
Subject: 2 factor authentication - additional options?

Thanks Reatesh, would you happen to know how we engage with these teams? Would it normally be via an account manager?
Original Message:
Sent: 03-30-2020 06:26 AM
From: Reatesh Sanghi
Subject: 2 factor authentication - additional options?

Hello,

You are correct, currently as of now out-of-the-box only RSA is authenticated is supported.

But there are customization options for which you would need to work with the field services team to know more on this.

Thanks,
Reatesh.

------------------------------
Principal Support Engineer
Broadcom

Original Message:
Sent: 03-30-2020 04:44 AM
From: S3curity Guy
Subject: 2 factor authentication - additional options?

Morning

We are currently reviewing our current set-up and one area we are looking at is the 2 factor authentication.

Currently only RSA is supported, are there any plans to bring on board alternative products like google authenticator?

Thanks,

M

Hello,

The documentation suggests LDAP+RADIUS authentication is possible
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-3-2/implementing/configuring-your-server/authenticate-users-logging-in-to-the-server/configure-ldap-and-radius-in-combination-to-authenticate-users.html

One possibility here is a token tool which supports RADIUS.  It would be interesting to mess around with.

Chris
Original Message:
Sent: 03-30-2020 04:44 AM
From: S3curity Guy
Subject: 2 factor authentication - additional options?

Morning

We are currently reviewing our current set-up and one area we are looking at is the 2 factor authentication.

Currently only RSA is supported, are there any plans to bring on board alternative products like google authenticator?

Thanks,

M

RSA is not the only two factor authentication.

Smartcard/certificate based authentication is also possible and widely used.  You can even use a cheap $45 yubikey: https://www.youtube.com/watch?v=5mr779SP8m4

PAM can also be configured as a SAML service provider: https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-3-2/implementing/configuring-your-server/authenticate-users-logging-in-to-the-server/using-saml-2-0-to-authenticate-users.html.   You should be able to have PAM authenticate against a google apps account.  If that account is configured for 2 factor using Google Authenticator, then you have met your goal.  Here is another vendor's description of what is required in Google Apps: https://help.receptive.io/hc/en-us/articles/212188369-How-to-set-up-Google-G-Suite-as-your-SAML-Identity-Provider

I believe you could also use SAML to authenticate against other identity providers that support google authenticator.  So while we don't support Google Authenticator directly, you should be able to do it indirectly using SAML.
Original Message:
Sent: 03-30-2020 04:44 AM
From: S3curity Guy
Subject: 2 factor authentication - additional options?

Morning

We are currently reviewing our current set-up and one area we are looking at is the 2 factor authentication.

Currently only RSA is supported, are there any plans to bring on board alternative products like google authenticator?

Thanks,

M

Hi Josheph,

The following message has been sent to you in response to your Discussion message

Message From: Samarendra Routray

Hi Andreas,

I am trying to implement multifactor authentication for PAM, so trying to integrate CA SSO (Siteminder) with PAM before integrating SSO with Advance/Strong Authentication.
I have completed the integration steps for CA SSO(Siteminder) and CA PAM production as given in below support url. 
CA Single Sign-On Integration

I am also able to get SSO page/prompt for authentication while trying PAM application url.

But the issue is after SSO login successful, I am again getting PAM login page where I have to login again, which is not SSO behavior. Could you please help me for this to get a proper SSO configuration for PAM, where once I login to SSO get access to PAM Admin UI directly on
browser.

I am using Active Directory as user store and integrated Active directory with PAM properly as given for PAM LDAP integration.

Broadcom		remove preview
CA Single Sign-On Integration Before you set up Layer7 SiteMinder (formerly CA Single Sign-On) on PAM, configure these objects in the SiteMinder Administrative UI. As a security administrator, you can integrate Privileged Access Manager with (formerly CA Single Sign-On). You can use as a second layer of protection for Privileged Access Manager . View this on Broadcom >

Thank you,
Regards,
Samarendra Routray
Original Message:
Sent: 03-31-2020 10:18 AM
From: Joseph Fry
Subject: 2 factor authentication - additional options?

RSA is not the only two factor authentication.

Smartcard/certificate based authentication is also possible and widely used.  You can even use a cheap $45 yubikey: https://www.youtube.com/watch?v=5mr779SP8m4

PAM can also be configured as a SAML service provider: https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-3-2/implementing/configuring-your-server/authenticate-users-logging-in-to-the-server/using-saml-2-0-to-authenticate-users.html.   You should be able to have PAM authenticate against a google apps account.  If that account is configured for 2 factor using Google Authenticator, then you have met your goal.  Here is another vendor's description of what is required in Google Apps: https://help.receptive.io/hc/en-us/articles/212188369-How-to-set-up-Google-G-Suite-as-your-SAML-Identity-Provider

I believe you could also use SAML to authenticate against other identity providers that support google authenticator.  So while we don't support Google Authenticator directly, you should be able to do it indirectly using SAML.
Original Message:
Sent: 03-30-2020 04:44 AM
From: S3curity Guy
Subject: 2 factor authentication - additional options?

Morning

We are currently reviewing our current set-up and one area we are looking at is the 2 factor authentication.

Currently only RSA is supported, are there any plans to bring on board alternative products like google authenticator?

Thanks,

M

I believe what you are seeing is expected behavior.  In the first paragraph of the link you provided:

"You can use Layer7 SiteMinder as a second layer of protection for Privileged Access Manager. First you authenticate to Privileged Access Manager, then to Layer7 SiteMinder..." 

I believe, though I have never done it myself, that to authenticate to PAM using siteminder, you would need to use SAML.  Even then, I believe the user will still need to authenticate against siteminder to get into PAM.  To the best of my knowledge, PAM does not support true SSO with SAML, it always makes you re-authenticate during PAM login (for security reasons).

Hopefully someone with more experience using PAM, SiteMinder, and SAML will respond and confirm/correct what I am saying.
Original Message:
Sent: 04-02-2020 08:05 AM
From: Samarendra Routray
Subject: 2 factor authentication - additional options?

Hi Josheph,

The following message has been sent to you in response to your Discussion message

Message From: Samarendra Routray

Hi Andreas,

I am trying to implement multifactor authentication for PAM, so trying to integrate CA SSO (Siteminder) with PAM before integrating SSO with Advance/Strong Authentication.
I have completed the integration steps for CA SSO(Siteminder) and CA PAM production as given in below support url. 
CA Single Sign-On Integration

I am also able to get SSO page/prompt for authentication while trying PAM application url.

But the issue is after SSO login successful, I am again getting PAM login page where I have to login again, which is not SSO behavior. Could you please help me for this to get a proper SSO configuration for PAM, where once I login to SSO get access to PAM Admin UI directly on
browser.

I am using Active Directory as user store and integrated Active directory with PAM properly as given for PAM LDAP integration.

Broadcom		remove preview
CA Single Sign-On Integration Before you set up Layer7 SiteMinder (formerly CA Single Sign-On) on PAM, configure these objects in the SiteMinder Administrative UI. As a security administrator, you can integrate Privileged Access Manager with (formerly CA Single Sign-On). You can use as a second layer of protection for Privileged Access Manager . View this on Broadcom >

Thank you,
Regards,
Samarendra Routray
Original Message:
Sent: 03-31-2020 10:18 AM
From: Joseph Fry
Subject: 2 factor authentication - additional options?

RSA is not the only two factor authentication.

Smartcard/certificate based authentication is also possible and widely used.  You can even use a cheap $45 yubikey: https://www.youtube.com/watch?v=5mr779SP8m4

PAM can also be configured as a SAML service provider: https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-3-2/implementing/configuring-your-server/authenticate-users-logging-in-to-the-server/using-saml-2-0-to-authenticate-users.html.   You should be able to have PAM authenticate against a google apps account.  If that account is configured for 2 factor using Google Authenticator, then you have met your goal.  Here is another vendor's description of what is required in Google Apps: https://help.receptive.io/hc/en-us/articles/212188369-How-to-set-up-Google-G-Suite-as-your-SAML-Identity-Provider

I believe you could also use SAML to authenticate against other identity providers that support google authenticator.  So while we don't support Google Authenticator directly, you should be able to do it indirectly using SAML.
Original Message:
Sent: 03-30-2020 04:44 AM
From: S3curity Guy
Subject: 2 factor authentication - additional options?

Morning

We are currently reviewing our current set-up and one area we are looking at is the 2 factor authentication.

Currently only RSA is supported, are there any plans to bring on board alternative products like google authenticator?

Thanks,

M

Joe

 

You are correct. The use case for the Siteminder integration is not authentication per say. It is "step-up" authentication and it was originally designed to be used on certain pages within the program and cannot replace the initial login. Assume you have an administrator user that is responsible for accessing target machines in the network but also responsible for configuring and maintaining CA PAM itself. These are effectively two distinct roles. You could provide 2 separate logins for this user  but then this limits the user and requires different passwords and user accounts. With the Siteminder authentication feature you can protect the configuration pages or any distinct page inside CA PAM so a admin user can access targets with the normal login but force them to reauthenticate separately once they try to access these particular pages.. If you do use SAML Authentication you may be able to configure the SAML to handle the step up auth automatically  but that would defeat the whole purpose of step up authentication. You do not need to use SAML as there is a Siteminder WebAgent built in the CA PAM product so you can configure any authentication method the standard Apache Webagent can be configured with in Siteminder. Since most PAM environments do not require such a separation of Roles I have not seen many customers using this feature.

As for using Siteminder as the Single Sign on.... Simply configure CA PAM to use SAML authentication with your AD users and disable Siteminder Integration. You can configure Siteminder as the Identity Provider and it will authenticate your AD users and pass CA PAM the authentication token as the relying party . This is a common configuration with CA PAM and many use Siteminder as the IDP and will avoid your double authentication.

 

Joe Lutz

Original Message:
Sent: 04-03-2020 11:26 AM
From: Joseph Fry
Subject: 2 factor authentication - additional options?

I believe what you are seeing is expected behavior.  In the first paragraph of the link you provided:

"You can use Layer7 SiteMinder as a second layer of protection for Privileged Access Manager. First you authenticate to Privileged Access Manager, then to Layer7 SiteMinder..."

I believe, though I have never done it myself, that to authenticate to PAM using siteminder, you would need to use SAML.  Even then, I believe the user will still need to authenticate against siteminder to get into PAM.  To the best of my knowledge, PAM does not support true SSO with SAML, it always makes you re-authenticate during PAM login (for security reasons).

Hopefully someone with more experience using PAM, SiteMinder, and SAML will respond and confirm/correct what I am saying.
Original Message:
Sent: 04-02-2020 08:05 AM
From: Samarendra Routray
Subject: 2 factor authentication - additional options?

Hi Josheph,

The following message has been sent to you in response to your Discussion message

Message From: Samarendra Routray

Hi Andreas,

I am trying to implement multifactor authentication for PAM, so trying to integrate CA SSO (Siteminder) with PAM before integrating SSO with Advance/Strong Authentication.
I have completed the integration steps for CA SSO(Siteminder) and CA PAM production as given in below support url. 
CA Single Sign-On Integration

I am also able to get SSO page/prompt for authentication while trying PAM application url.

But the issue is after SSO login successful, I am again getting PAM login page where I have to login again, which is not SSO behavior. Could you please help me for this to get a proper SSO configuration for PAM, where once I login to SSO get access to PAM Admin UI directly on
browser.

I am using Active Directory as user store and integrated Active directory with PAM properly as given for PAM LDAP integration.

Broadcom		remove preview
CA Single Sign-On Integration Before you set up Layer7 SiteMinder (formerly CA Single Sign-On) on PAM, configure these objects in the SiteMinder Administrative UI. As a security administrator, you can integrate Privileged Access Manager with (formerly CA Single Sign-On). You can use as a second layer of protection for Privileged Access Manager . View this on Broadcom >

Thank you,
Regards,
Samarendra Routray
Original Message:
Sent: 03-31-2020 10:18 AM
From: Joseph Fry
Subject: 2 factor authentication - additional options?

RSA is not the only two factor authentication.

Smartcard/certificate based authentication is also possible and widely used.  You can even use a cheap $45 yubikey: https://www.youtube.com/watch?v=5mr779SP8m4

PAM can also be configured as a SAML service provider: https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-3-2/implementing/configuring-your-server/authenticate-users-logging-in-to-the-server/using-saml-2-0-to-authenticate-users.html.   You should be able to have PAM authenticate against a google apps account.  If that account is configured for 2 factor using Google Authenticator, then you have met your goal.  Here is another vendor's description of what is required in Google Apps: https://help.receptive.io/hc/en-us/articles/212188369-How-to-set-up-Google-G-Suite-as-your-SAML-Identity-Provider

I believe you could also use SAML to authenticate against other identity providers that support google authenticator.  So while we don't support Google Authenticator directly, you should be able to do it indirectly using SAML.
Original Message:
Sent: 03-30-2020 04:44 AM
From: S3curity Guy
Subject: 2 factor authentication - additional options?

Morning

We are currently reviewing our current set-up and one area we are looking at is the 2 factor authentication.

Currently only RSA is supported, are there any plans to bring on board alternative products like google authenticator?

Thanks,

M