Enterprise Single Sign-On (SSO)

1 Introduction
2 Glossary
3 PAM SSO Support
4 Customer Information Required
- 4.1 SAML Metadata Configuration
- 4.2 Email Attribute
- 4.3 Supported Email Domains
5 PAM Information Required
6 Guides

Introduction

Single Sign-On (SSO) is an authentication mechanism that allows users to log in once and gain access to multiple applications without needing to re-enter credentials. It enhances security by reducing password fatigue and minimising the risk of weak or reused passwords while improving user experience by streamlining access.

SSO is commonly implemented using protocols like SAML (Security Assertion Markup Language), where an Identity Provider (IDP) authenticates users and grants them access to various services.

PAM supports SSO for all customers and regions, provided the customer’s Identity Provider (IDP) uses and supports SAML integration.

Glossary

CIAM	Customer Identity Access Management A framework that manages customer authentication, authorization, and identity-related security for digital applications.
IDP	Identity Provider A system or service that authenticates users and provides identity information to other systems, enabling secure access to applications and resources.
SAML	Security Assertion Markup Language An open standard for exchanging authentication and authorization data between an identity provider (IDP) and a service provider (SP), commonly used for enabling SSO.
SSO	Single Sign-On An authentication process that allows a user to access multiple applications with a single set of login credentials, reducing the need for multiple passwords.
XML	Extensible Markup Language A flexible, text-based format for structuring and storing data, widely used in web services, configuration files, and document exchange.

PAM SSO Support

In order to utilise SSO for logging into PAMOS, customers are required to integrate with PAM’s CIAM provider Cognito. SSO requires configuration on PAM infrastructure, as well as on a customer’s enterprise software (e.g. Google Workspace, Azure AD).

Once configured, implementation of SSO in PAM allows for the ‘Single Sign On (SSO)’ button to be used when logging into PAMOS.

Users are presented with the option to log in via SSO

Signing on with SSO will redirect to a user’s IDP for authentication

Customer Information Required

Customers wanting to configure SSO with PAMOs are required to provide PAM with the following:

SAML Metadata Configuration
Email Attribute
Supported Email Domains

Further information can be found in the below sections.

SAML Metadata Configuration

Customer are required to provide the .xml SAML metadata for their particular enterprise IDP. This can be provided to PAM in the following formats:

As a URL (e.g. https://mocksaml.com/api/saml/metadata)
As a raw .xml file (example shown below)

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://saml.example.com/entityid" validUntil="2035-02-10T01:14:09.024Z">
<md:IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIC4jCCAcoCCQC33wnybT5QZDANBgkqhkiG9w0BAQsFADAyMQswCQYDVQQGEwJV SzEPMA0GA1UECgwGQm94eUhRMRIwEAYDVQQDDAlNb2NrIFNBTUwwIBcNMjIwMjI4 MjE0NjM4WhgPMzAyMTA3MDEyMTQ2MzhaMDIxCzAJBgNVBAYTAlVLMQ8wDQYDVQQK DAZCb3h5SFExEjAQBgNVBAMMCU1vY2sgU0FNTDCCASIwDQYJKoZIhvcNAQEBBQAD ggEPADCCAQoCggEBALGfYettMsct1T6tVUwTudNJH5Pnb9GGnkXi9Zw/e6x45DD0 RuRONbFlJ2T4RjAE/uG+AjXxXQ8o2SZfb9+GgmCHuTJFNgHoZ1nFVXCmb/Hg8Hpd 4vOAGXndixaReOiq3EH5XvpMjMkJ3+8+9VYMzMZOjkgQtAqO36eAFFfNKX7dTj3V pwLkvz6/KFCq8OAwY+AUi4eZm5J57D31GzjHwfjH9WTeX0MyndmnNB1qV75qQR3b 2/W5sGHRv+9AarggJkF+ptUkXoLtVA51wcfYm6hILptpde5FQC8RWY1YrswBWAEZ NfyrR4JeSweElNHg4NVOs4TwGjOPwWGqzTfgTlECAwEAATANBgkqhkiG9w0BAQsF AAOCAQEAAYRlYflSXAWoZpFfwNiCQVE5d9zZ0DPzNdWhAybXcTyMf0z5mDf6FWBW 5Gyoi9u3EMEDnzLcJNkwJAAc39Apa4I2/tml+Jy29dk8bTyX6m93ngmCgdLh5Za4 khuU3AM3L63g7VexCuO7kwkjh/+LqdcIXsVGO6XDfu2QOs1Xpe9zIzLpwm/RNYeX UjbSj5ce/jekpAw7qyVVL4xOyh8AtUW1ek3wIw1MJvEgEPt0d16oshWJpoS1OT8L r/22SvYEo3EmSGdTVGgk3x3s+A0qWAqTcyjr7Q4s/GKYRFfomGwz0TZ4Iw1ZN99M m0eo2USlSRTVl7QHRTuiuSThHpLKQQ==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://mocksaml.com/api/saml/sso"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://mocksaml.com/api/saml/sso"/>
</md:IDPSSODescriptor>
</md:EntityDescriptor>

Email Attribute

Customers are required to provide the SAML attribute within the IDP response that corresponds to user email (e.g. emailAddress or email).

Supported Email Domains

Customers are required to provide a list of email domains that should be supported by PAM SSO (e.g. company1.com, company2.com, company3.com)

PAM Information Required

Customers are required to configure their enterprise IDP with the below information as appropriate (examples given are for information only, PAM support will provide customer-specific values).

SAML entity id (e.g urn:amazon:cognito:sp:\<yourUserPoolId\>)
ACS URL (e.g. https://<yourDomainPrefix>.auth.region.amazoncognito.com/saml2/idpresponse)
Start URL (e.g. https://sso-portal.awsapps.com/start)

Guides

See below (external) guides to configuration with various IDPs:

PAM Help Centre