Symantec Access Management

  • 1.  CA PAM integration with SSO and Kerberos Authentication

    Posted May 15, 2019 02:06 PM

    Hi to all,

    I've a working installation of CA PAM integrated with SSO (siteminder 12.7, access gateway based on windows) with IWA authentication.  CA PAM is configured as RP (Config >> Xsuite SAML RP Configuration) and CA SSO as IdP. 


    Now I setup a new system siteminder 12.8-sp2 with Linux access gateway. I setup also a working kerberos authentication. The auth. method is Kerberos with fallback to Form Authentication. I change RP config to use new IDP.  
    If access PAM by Internet Explorer (or Firefox) form a domain PC it work: when  I click on "Single Sign-On" I get authenticated.

    But if I use standlone client no! I get redirected on Form Authentication. 

    Client appeears to support only IWA but not Kerberos! 

    What do you think ?

     

     



  • 2.  RE: CA PAM integration with SSO and Kerberos Authentication
    Best Answer

    Posted Jun 28, 2019 01:57 PM

    Hi everyone,
    I solved it!
    Or rather it cannot be done due to a browser limitation which is the basis of the PAM client. (JxBrowser) That does not support Kerberos (but supports NTLM). So I installed two agents on two iis servers behind a load balancer to protect redirect.jsp on SPS (yes, sps is Linux based but redirect.jsp protected with the NTLM authentication page hosted on the agent on the IIS server)

    Now I can login into CA PAM client from a domain computer without enter password.