| Table of Contents | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Introduction
Single Sign-On (SSO) is an authentication mechanism that allows users to log in once and gain access to multiple applications without needing to re-enter credentials. It enhances security by reducing password fatigue and minimising the risk of weak or reused passwords while improving user experience by streamlining access.
SSO is commonly implemented using protocols like SAML (Security Assertion Markup Language), where an Identity Provider (IDP) authenticates users and grants them access to various services.
Businesses and enterprises widely adopt SSO to simplify user management and enhance security in cloud and on-premise environments.
Glossary| Tip |
|---|
PAM supports SSO for all customers and regions, provided the customer’s Identity Provider (IDP) uses and supports SAML integration. |
Glossary
CIAM | Customer Identity Access Management A framework that manages customer authentication, authorization, and identity-related security for digital applications. |
|---|---|
IDP | Identity Provider A system or service that authenticates users and provides identity information to other systems, enabling secure access to applications and resources. |
SAML | Security Assertion Markup Language An open standard for exchanging authentication and authorization data between an identity provider (IDP) and a service provider (SP), commonly used for enabling SSO. |
SSO | Single Sign-On An authentication process that allows a user to access multiple applications with a single set of login credentials, reducing the need for multiple passwords. |
XML | Extensible Markup Language A flexible, text-based format for structuring and storing data, widely used in web services, configuration files, and document exchange. |
PAM SSO Support
In order to utilise SSO for logging into PAMOS, customers are required to integrate with PAM’s CIAM provider Cognito. SSO Implementation requires configuration on PAM infrastructure, as well as on a customer’s enterprise software (e.g. Google Workspace, Azure AD).
Once configured, implementation of SSO in PAM allows for the ‘Single Sign On (SSO)’ button to be used when logging into PAMOS.
Customer Information Required
Customers wanting to configure SSO with PAMOs are required to provide PAM with the following:
SAML Metadata Configuration
Email Attribute
Supported Email Domains
Further information can be found in the below sections.
SAML Metadata Configuration
Please choose whether you would like to provide your Identity Provider metadata as either a URL or by directly copying content from an .xml file.Customer are required to provide the .xml SAML metadata for their particular enterprise IDP. This can be provided to PAM in the following formats:
As a URL (e.g. https://mocksaml.com/api/saml/metadata)
As a raw
.xmlfile (example shown below)
| Code Block | ||
|---|---|---|
| ||
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://saml.example.com/entityid" validUntil="2035-02-10T01:14:09.024Z"> <md:IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <md:KeyDescriptor use="signing"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate>MIIC4jCCAcoCCQC33wnybT5QZDANBgkqhkiG9w0BAQsFADAyMQswCQYDVQQGEwJV SzEPMA0GA1UECgwGQm94eUhRMRIwEAYDVQQDDAlNb2NrIFNBTUwwIBcNMjIwMjI4 MjE0NjM4WhgPMzAyMTA3MDEyMTQ2MzhaMDIxCzAJBgNVBAYTAlVLMQ8wDQYDVQQK DAZCb3h5SFExEjAQBgNVBAMMCU1vY2sgU0FNTDCCASIwDQYJKoZIhvcNAQEBBQAD ggEPADCCAQoCggEBALGfYettMsct1T6tVUwTudNJH5Pnb9GGnkXi9Zw/e6x45DD0 RuRONbFlJ2T4RjAE/uG+AjXxXQ8o2SZfb9+GgmCHuTJFNgHoZ1nFVXCmb/Hg8Hpd 4vOAGXndixaReOiq3EH5XvpMjMkJ3+8+9VYMzMZOjkgQtAqO36eAFFfNKX7dTj3V pwLkvz6/KFCq8OAwY+AUi4eZm5J57D31GzjHwfjH9WTeX0MyndmnNB1qV75qQR3b 2/W5sGHRv+9AarggJkF+ptUkXoLtVA51wcfYm6hILptpde5FQC8RWY1YrswBWAEZ NfyrR4JeSweElNHg4NVOs4TwGjOPwWGqzTfgTlECAwEAATANBgkqhkiG9w0BAQsF AAOCAQEAAYRlYflSXAWoZpFfwNiCQVE5d9zZ0DPzNdWhAybXcTyMf0z5mDf6FWBW 5Gyoi9u3EMEDnzLcJNkwJAAc39Apa4I2/tml+Jy29dk8bTyX6m93ngmCgdLh5Za4 khuU3AM3L63g7VexCuO7kwkjh/+LqdcIXsVGO6XDfu2QOs1Xpe9zIzLpwm/RNYeX UjbSj5ce/jekpAw7qyVVL4xOyh8AtUW1ek3wIw1MJvEgEPt0d16oshWJpoS1OT8L r/22SvYEo3EmSGdTVGgk3x3s+A0qWAqTcyjr7Q4s/GKYRFfomGwz0TZ4Iw1ZN99M m0eo2USlSRTVl7QHRTuiuSThHpLKQQ==</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat> <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://mocksaml.com/api/saml/sso"/> <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://mocksaml.com/api/saml/sso"/> </md:IDPSSODescriptor> </md:EntityDescriptor> |
Email Attribute
Please confirm Customers are required to provide the SAML attribute within the Identity Provider Response IDP response that corresponds to user email (e.g. emailAddress or email)email.
Supported Email Domains
Please Customers are required to provide a comma-separated list of email domains that you wish to should be supported by PAM SSO (e.g. company1.com, company2.com, company3.com)
PAM Information Required
These are mock urls, actual values will be shared
saml entity id: Customers are required to configure their enterprise IDP with the below information as appropriate (examples given are for information only, PAM support will provide customer-specific values).
SAML entity id (e.g
urn:amazon:cognito:sp:\<yourUserPoolId\>
acs url:
)
ACS URL (e.g.
https://<yourDomainPrefix>.auth.region.amazoncognito.com/saml2/idpresponse
Guide: Google Workspace
External Guides
)
Start URL (e.g.
https://
sso-portal.awsapps.com/start)
Guides
See below (external) guides to configuration with various IDPs: