SAML authentication

This topic describes how to configure SAML authentication in PAM - Self-Hosted and in your IdP.

Overview

SAML authentication enables you to implement an Identity Provider (IdP) solution and benefit from an SSO workflow across multiple domains.

After you configure SAML authentication, all users can use this authentication method. Whether they have been provisioned using LDAP integration or were created manually as CyberArk users.

PAM - Self-Hosted supports SAML version 2.0.

Configure the IdP

Assertion

PAM - Self-Hosted supports only one assertion.

Make sure only one assertion is configured in your IdP.

Assertion Consuming URL

For SSL v9 - https://<PVWA DNS or IP>/PasswordVault/auth/saml

For SSLv10 - https://<PVWA DNS or IP>/PasswordVault/api/auth/saml/logon

SAML Identity Location

Make sure that your IdP specifies Identity in the NameIdentifier element of the Subject statement.

The user name is located in the <Subject> statement of the assertion.

Secure hash algorithm

Use one of the following hash algorithms: 

  • SHA256 (recommended)
  • SHA1

This algorithm is used to sign the responses.xml.

Signed requests

For sending signed requests configure PAM - Self-Hosted to send signed requests in the saml.config, as described in To support signed requests,.

If signed requests are not configured in the saml.config, make sure the IdP is set to accept non-signed requests.

User name

Configure the IdP to return the user name inside the NameID tag.

PAM - Self-Hosted supports the unspecified NameID format.

Audience

The value used by the IdP to identify the PVWA as a relying party.

The value must be identical to the ServiceProvider Name configures in PAM - Self-Hosted.

 

 

By default, PAM - Self-Hosted supports Service Provider initiated login flow. This is the recommended and most secure flow. However, if you want to enable an IdP initiated login flow, do the following:

  1. From the installation folder, open the web.config file for editing.
  2. In the appSettings tag, add the following line:

    <add key="EnableIdPInitiatedSso" value="yes"/>

Supported in v10 UI only.

Update SAML configuration after upgrading to Version 11.6 and later

If you are already working with SAML authentication, and you are upgrading to 11.6 or later, you need to update your SAML configuration settings.

  • Open the saml.config file located in the installation folder (the default location is \Inetpub\wwwroot\PasswordVault), and configure the PartnerIdentityProvider Name. (The rest of the parameters are configured during the upgrade process.)

Configure SAML authentication in PAM - Self-Hosted

To configure SAML in PAM - Self-Hosted, you need to configure the PVWA and the PasswordVault web.config file.

To configure the PVWA:

  1. Log on to the PVWA.

  2. Click Administration > Configuration Options > Options.

  3. In the Options pane, expand Authentication Methods, and click saml.

  4. In the Properties pane, set the following fields: 

    Enabled

    Set to Yes.

    LogoffUrl

    Specify the logoff page of your IdP.

    If your IdP does not have a logoff URL, clear this field. Users will remain authenticated to the PVWA as long as they are authenticated to the IdP.

  5. In the Options pane, right-click Access Restriction, and then select Add AllowedReferrer.

  6. In the Properties pane, in BaseURL, specify the URL of your IdP.
  7. Click Apply to save the new configurations.

To edit the configuration file:

  1. In the PasswordVault installation folder (the default location is \Inetpub\wwwroot\PasswordVault), make a copy of the saml.config.template file, and rename it to saml.config.

  2. Edit the saml.config file as follows:

    Parameter Description
    SingleSignOnServiceUrl The login URL of your IdP.
    Certificate

    The base 64 text representation of the certificate that is configured for your IdP as the SAML response signing certificate. This is used by the PVWA to verify the authenticity of the responses.

    PartnerIdentityProvider Name

    Enter the IdP identifier that enables the PVWA to identify the IdP. Also known as the EntityId of the identity provider.

    ServiceProvider Name

    The Issuer string that enables the PVWA to identify itself to the IdP. Also known as the EntityId of the service provider.

    It must be identical to the Audience defined in the IdP.

  3. To support signed requests,

    • Add the following to the ServiceProvider element:

       
      <LocalCertificates>
          <Certificate FileName="<local certificate path>" Password="<the password you set for the certificate>" />
      </LocalCertificates>

    • Add the following attribute to the PartnerIdentityProvider element:

      SignAuthnRequest="true"

  4. To support encrypted assertion:

    • Add the following within the ServiceProvider element:

       
      <LocalCertificates>
          <Certificate FileName="<the exported certificate path>" Password="<the password you set for the certificate>" />
      </LocalCertificates>
    • Supply the certificate's public key to the IdP to encrypt the assertion.

  5. To support force authn, add the following attribute to the PartnerIdentityProvider element:

    ForceAuthn="true"

Sample SAML request and response

SAML request from the PVWA to the IdP.

 
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_bec424fa5103428909a30ff1e31168327f79474984" Version="2.0" IssueInstant="2007-12-10T11:39:34Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://localhost/Passwordvault/auth/saml">
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">PasswordVault
    </saml:Issuer>
</samlp:AuthnRequest>

SAML response from the IdP to the PVWA.

 
<samlp:Response ID="_dd89c43c-ac4d-4f11-8215-d72b9b04f465" Version="2.0" IssueInstant="2014-09-18T08:42:38.873Z" Destination="https://localhost/SAMLAPP/Consume.aspx" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="_d03ece3f-6875-452f-8a81-4e4f498cce8f" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
   <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://www.yourserver.com/adfs/services/trust</Issuer>
   <samlp:Status>
      <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
   </samlp:Status>
   <Assertion ID="_a7c66b16-f1cd-4791-8a92-5c05fd879356" IssueInstant="2014-09-18T08:42:38.872Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
      <Issuer>http://www.yourserver.com/adfs/services/trust</Issuer>
      <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
         <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
            <ds:Reference URI="#_a7c66b16-f1cd-4791-8a92-5c05fd879356">
               <ds:Transforms>
                  <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                  <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
               </ds:Transforms>
               <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
               <ds:DigestValue>DWu0VvTPAIFkWRcv8jKrrxwYJOY=</ds:DigestValue>
            </ds:Reference>
         </ds:SignedInfo>
         <ds:SignatureValue> </ds:SignatureValue>
         <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
            <ds:X509Data>
               <ds:X509Certificate> </ds:X509Certificate>
            </ds:X509Data>
         </KeyInfo>
      </ds:Signature>
      <Subject>
         <NameID>Administrator@mycompanydom.local</NameID>
         <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <SubjectConfirmationData InResponseTo="_d03ece3f-6875-452f-8a81-4e4f498cce8f" NotOnOrAfter="2014-09-18T08:47:38.873Z" Recipient="https://localhost/SAMLAPP/Consume.aspx" />
         </SubjectConfirmation>
      </Subject>
      <Conditions NotBefore="2014-09-18T08:42:38.868Z" NotOnOrAfter="2014-09-18T09:42:38.868Z">
         <AudienceRestriction>
            <Audience>PasswordVault</Audience>
         </AudienceRestriction>
      </Conditions>
      <AuthnStatement AuthnInstant="2014-09-18T08:17:57.154Z" SessionIndex="_a7c66b16-f1cd-4791-8a92-5c05fd879356">
         <AuthnContext>
            <AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef>
         </AuthnContext>
      </AuthnStatement>
   </Assertion>
</samlp:Response>