CA Privileged Access Manager Tech Tip by Kelly Wong, Principal Support Engineer for 26th August 2017
The scope of the document is to provide the necessary steps to configure the federation partnership to achieve SSO (Single-Sign-On) between CA Single Sign-On 12.52 SP1, acting as the Identity Provider (IDP), and CA PAM 2.8.2 acting as the Service Provider (SP) with MS SQL as user store.
Background
Tech Tip - CA Privileged Access Manager: Use CA Single Sign-On as Identity Authentication to CA PAM
The above Tech Tip illustrates how the Federation Partnership on CA Single Sign-On is setup to reference an LDAP user store and we imported the same LDAP users to CA PAM, matching the user identity.
However, we can always map the identity in SAML assertion to a PAM local user or LDAP user.
Steps
- MS SQL
Identify the users from the MS SQL server
- CA Single Sign-On: Federation >> Partnership Federation >> Partnership
Setup IdP->SP Federation Partnership to reference the MS SQL database (select "local_user" and "fed_user" as Federated Users)
In this example, I'm using 'Name' user attribute for NameID in SAML assertion
- CA PAM: Users >> Manage Users
Create a new PAM user with Username matches the MS SQL database user's 'Name' and ensure that 'SAML' authentication is selected:
- Now you can attempt the Single Sign-On authentication with PAM:
Similarly, you can single sign-on with "fed_user", despite that this account is imported from an LDAP server:
The password for the "local_user" and "fed_user" are different in CA PAM and in MS SQL server. As the authentication is performed on Identity Provider (IdP) end, login credentials entered in CA PAM should match the one in MS SQL database in this example.