Using ADFS to authenticate on a Privileged Access Management REST API based portal? RRS feed

  • Question

  • Hi,

    The goal is to activate PAM Roles from untrusted forest. Is it possible?


    - The only thing common connecting the  and the user is his samAccountName.

    - There is only a Federation trust. There is no kerberos trust.


    The scenario is to publish IIS Portals that uses Windows authentication (Kerberos) through the Web Application Proxy. 

    1. ADFS "Match" the to

    2. ADFS enriches the SAML-Token with the group membership of

    3. ADFS requests a Kerberos ticket for the user containing his group membership.

    4. The user can activate Pam role using the Privileged Access Management REST API based portal.


    PS: Read also:


    • Edited by Guy Horn Tuesday, January 9, 2018 1:56 PM
    Tuesday, January 9, 2018 1:53 PM


  • No this is not possible and not the purpose of PAM. In fact, it would go against everything PAM tries to accomplish.

    The user that is granted access is a BASTION Account. Period.

    Nosh Mernacaj, Identity Management Specialist

    • Marked as answer by Guy Horn Friday, February 2, 2018 1:28 PM
    Tuesday, January 9, 2018 2:17 PM