SAML configuration with RAG Portal

Privilege Secure Privilege Secure Discussions & Questions
,
1

Hello everyone,

I’ll try to explain what I’m attempting to do, as I’m not sure if it’s possible, and if it is, how it should be done or what the best approach would be.

Environment:

It seems that the RAG Portal does not have administrative functionality, so I’m trying to set it up as follows:

My goal is for administrators to connect via pam.domain.com, while regular users access the system via portal.domain.com

Since all users are in the same Entra tenant, I’m trying to configure authentication for both the PAM server and the RAG Portal using Entra SAML. However, I’m facing the following issue:

If I enable “Use Remote Access Gateway” for authentication, I can no longer authenticate via SAML from pam.domain.com at all.

As I understand it, I cannot have two separate authentications within the same Entra tenant because Netwrix PAM provides a fixed “Identifier (Entity ID)” as sbpamsaml.stealthbits.com, and Entra does not support two applications with the same identifier.

Additionally, it seems that Netwrix PAM does not provide an option to configure the “Reply URL (Assertion Consumer Service URL)”, which may also be causing issues.

Any help would be appreciated, the documentation is very limited. Maybe I’m just trying to do this the wrong way.

4 Likes
2

Hi Mikas!

Sorry about that! You should be able to use more links now—I just tweaked this setting :slight_smile:

3

Thanks, i edited original post :slight_smile:

1 Like
4

Hello Mikas,

Thanks for reaching out. There is a current limitation with SAML and using the RAG Portal. You do need to set up two separate Authentication connectors, one for internal use and another for external use. We wanted to make sure that there was a clear separation.

Since you are using an Azure application, you could use OIDC instead of SAML to provide the authentication. This will allow you to use the same application in Azure, the callback URL sent by the client will redirect to the Portal instead of the main application.

Using OIDC should help you get past the SAML limitation.

This is showing the Application configuration for my dev lab using internal IPs for the callbacks. The NPS UI is at https://192.168.77.132:6500 and the Portal UI is https://192.168.1.182

I have two authentication connections using this App registration with OIDC.

The image displays a settings interface for configuring authentication, specifically for a single-page application, featuring a section for managing redirect URIs along with various options in a sidebar menu. (Captioned by AI)
The image displays a settings interface for configuring authentication, specifically for a single-page application, featuring a section for managing redirect URIs along with various options in a sidebar menu. (Captioned by AI)619×388 37.3 KB

HTH,
-Kevin

3 Likes
5

Thank you for the information, I will try to reconfigure it tomorrow.

Could you please clarify further? In the Entra Enterprise application, I am using https://portal.domain.com/samlSigninCallback as the Reply URL. It seems to have a different structure from yours. From my attempts, using https://portal.domain.com/Callback did not work.

6

/samlSigninCallback is for SAML authentication flow.
/callback is for OIDC authentication flow.

1 Like
7

Please also be aware that NPS will allow you to select a single ‘Authenticator connecter’ per user on the ‘authentication connector’ tab on the user details. So please ensure that your regular users have the appropriate authentication connector assigned to them (i.e. Entra ID OIDC - Portal) vs your administrator users (i.e. Entra ID OIDC - PAM). Otherwise, a user will seemingly authenticate but will be logged out of the system because of an authenticator mismatch.

The image displays a user management interface for "James Smith," showing various authentication options, with the "Entra ID OIDC Portal" option selected. (Captioned by AI)
The image displays a user management interface for "James Smith," showing various authentication options, with the "Entra ID OIDC Portal" option selected. (Captioned by AI)1467×527 31.6 KB

3 Likes
8

Thank you for the clarification. In that case, the documentation is inaccurate: Netwrix Documentation.

2 Likes
9

Thank you for bringing this to my attention. I will make sure to get this updated!

2 Likes
10

Hi, @kevin.horvatin

Im stuck on configuring OpenID, I had an MS Teams meeting with Netwrix support, but they couldn’t help either. Maybe you can point me in the right direction.
Steps I take:

  1. Microsoft Azure → App registrations → New Registration
  2. Accounts in this organizational directory only (DOMAIN only - Single tenant)
  3. Redirect URI (Optional) → Single-page application (SPA) → https://pam.domain.com/callback
  4. Register
  5. Manage → Authentication → Select the tokens you would like to be issued by the authorization endpoint: → Access tokens (used for implicit flows) and ID tokens (used for implicit and hybrid flows) → Save
  6. Certificates & secrets → Client secrets → New Client secret
  7. API permissions → Adding Microsoft Graph (delegated): email, offline_access, openid, profile, User.Read

Steps on the Netwrix PAM server:

  1. Configuration → Authentication → name “TEST OPENID”
  2. Connector Type → OpenID Connect (NOT “Use Remote Access Gateway”)
  3. Configuration Wizard
  4. Issuer → https://login.microsoftonline.com/{TENANT_ID}
  5. Client Id → From Microsoft Azure registered application “Application (client) ID” field value.
  6. Callback Address → https://pam.domain.com/callback (non-editable field, default value)
  7. CORS → https://pam.domain.com (non-editable field, default value)
  8. Test Connection → Back on browser → Next in the configuration window
  9. Test Login tab in the configuration window: only the Login button is enabled → Log in to Microsoft

Now strange things are happening in the browser’s network:
The https://pam.domain.com/callback request response:
“You need to enable JavaScript to run this app.”

The Netwrix OpenID Connect Configuration window displays the following message:
Login was unsuccessful. Confirm that the user is allowed to access the application and try again or click ‘Back’ to modify the configuration.
Error: No access token found

Azure Audit Log Details:
Target → Registred application ID and Name
Activity: Status → success

It feels like the application registered in Azure is not returning the token back to Netwrix PAM.

I would like to note that the Netwrix documentation also does not specify what permissions are required for the application registered in Azure.

1 Like
11

Hello Mikas,

This is the documentation on how to set up the Azure App for OIDC connections.

I will review what you have here and get back to you. I just wanted to send you this right away in case you haven’t seen it.

2 Likes
12

Silly question but did you click on the ‘Consent on behalf of your organization’ box?

The image shows a permissions request dialog from Microsoft for an application called "SbPAM OIDC," indicating that it is not published by Microsoft and includes an option to consent on behalf of an organization. (Captioned by AI)
The image shows a permissions request dialog from Microsoft for an application called "SbPAM OIDC," indicating that it is not published by Microsoft and includes an option to consent on behalf of an organization. (Captioned by AI)470×512 17.3 KB

13

You saved my day :slight_smile:

I hadn’t seen this documentation before, but it helped solve the problem.
The problem was that in Netwrix PAM, I specified the Issuer as:
https://login.microsoftonline.com/{TENANT}
but it should have been:
https://login.microsoftonline.com/{TENANT}/v2.0

After making these changes, authentication to the PAM Server started working. Now, I still need to test authentication to the RAG Portal.

Thank you!

I think the correct endpoints should be specified in the Netwrix Privilege Secure documentation.

Wierd, the Azure application also does not provide such an option under Endpoints.

3 Likes
14

I haven’t seen such a window :slight_smile: It looks like the authentication was happening, but from the wrong endpoint.
But thanks for the observation!

2 Likes
15

I was just about to write that endpoint was possibly the problem :slight_smile:

Thank you again for feedback. I will work with the documentation team to improve the documentation for OIDC logins.

1 Like
16

Many thanks to everyone, especially @kevin.horvatin, for helping with the authentication configuration.

I probably have just one remaining question that I’m thinking of solving this way:

  • External users connect via RAG Portal OpenID authentication – this part is clear.
  • But what should I do with users who are also administrators?

My idea is to have two separate users in AD, for example, Mikas and Mikas-Adm, and link both to the same Entra ID user. One would be used for external authentication via the RAG Portal, and the other for internal authentication via the PAM Server.

Am I thinking about this correctly?

3 Likes
17

yes that should work, just make sure that you can match the user with properties from the claims that are going to the server.

The internal auth would be using the claim that matches to your ADM user.
The external auth would be using the claim that matches your “user” user.

OIDC is flexible so you can certainly have a custom attribute for that.

I don’t have a lab working right now that I can test this out, but I think this should work for you.

Good luck and if you run into issues, please feel free to reach out!

2 Likes