none
Using ADFS to authenticate on a Privileged Access Management REST API based portal? RRS feed

  • Question

  • Hi,

    The goal is to activate PAM Roles from untrusted forest. Is it possible?

    Conditions:

    - The only thing common connecting the user@external.com  and the user @internal.com is his samAccountName.

    - There is only a Federation trust. There is no kerberos trust.

    Scenario:

    The scenario is to publish IIS Portals that uses Windows authentication (Kerberos) through the Web Application Proxy. 

    1. ADFS "Match" the user@exterm.com to user@intern.com.

    2. ADFS enriches the SAML-Token with the group membership of user@intern.com.

    3. ADFS requests a Kerberos ticket for the user containing his group membership.

    4. The user can activate Pam role using the Privileged Access Management REST API based portal.

    ----

    PS: Read also: https://social.technet.microsoft.com/Forums/en-US/6caa7461-7c90-4e3f-b7fc-6fe2db2c9ff3/using-adfs-to-authenticate-on-a-mim-user-portal?forum=ilm2


    GH


    • Edited by Guy Horn Tuesday, January 9, 2018 1:56 PM
    Tuesday, January 9, 2018 1:53 PM

Answers

  • No this is not possible and not the purpose of PAM. In fact, it would go against everything PAM tries to accomplish.

    The user that is granted access is a BASTION Account. Period.


    Nosh Mernacaj, Identity Management Specialist

    • Marked as answer by Guy Horn Friday, February 2, 2018 1:28 PM
    Tuesday, January 9, 2018 2:17 PM