1
December 2021
Passwordless Authentication for PAM with Authlogics
Andy Harris
Authenticating users without relying on passwords
We've done quite a few SAML based integrations with identity providers. With Authlogics it was a little different. Instead of SAML to their server it was SAML to Active Directory Federation Services (ADFS(. The interaction with the Authlogics Authentication server is handled by their Active Directory Agent.
ADFS provides "Windows Integrated Authentication" User Agents. Whilst this support is built-in for Edge and Internet Explorer it can be extended to Chrome and other browsers.
This means that Chrome can pickup the identity of the logged in Windows User and use it against web services and IDPs (Identification Providers).
With Authlogics and SAML we were able to deliver passwordless authentication to Osirium PAM with the added security of Multifactor Authentication.
PAM, IAM and IDPs
To put it very briefly:
- Osirium's PAM (Privileged Access Management) product is essentially Identity IN - Role OUT
- IDPs are essentially Authentication IN, Verified Identity OUT
- IAM is the world in which you are provided services depending on the properties of your Identity
This is why PAM and IDPs are best friends. A higher quality of identity into a PAM product will improve overall system security.
You can consider it thus:
.png)
Radius or SAML, take your choice
You can use either, Radius is very simple to set up and relies on a shared secret between the Authlogics and Osirium PAM Servers. It has the disadvantage of not supporting the WIA (Windows Integrated Authentication).
SAML takes more effort, but tends to be worth it in the log run. It reduces the number of steps that each Privileged User has to take when authenticating to PAM. That's quite a saving if you have many users over time. It’s a win double: Not only do you speed up authentication, but you add great security.
.png)
There's always the inevitable exchange of certificates, tracking through the SAML Assertions etc. Just about everything needs a valid certificate these days so its not as much of a chore as it was.
.png)
How the integration works
1. The Privileged User needs to be configured in the PAM Server with an Authentication method, this could be a chain of methods, but in this example we will assume they are defined as 'SAML', this can give the following choices:
- Username + AD Password + Web* PIN Grid
- Username + AD Password + Device PIN Grid
- Username + Local Password + Web* PIN Grid
- Username + Local Password + Device PIN Grid
- *Username + Web PIN Grid
- *Username + Device PIN Grid
(The last two marked '*' are demonstrated in the video.)
2. The Privileged User needs to log in to the Osirium PAM Server. There can be many PAM User Interface Servers for a PAM Server, or the PAM Server can server UI itself. The user will browse to a UI address.
3. The user enters their username, their Windows Integrated Authentication is available part of the web request. The PAM Server knows they are a SAML user and redirects them to the ADFS Server where they are automatically windows authenticated and presented with their Authlogics PIN Grid.
4. The user enters their code depending on their pre-chosen pattern through the Pin Grid. If successful, the Authlogics Server returns a SAML Assertion. Note that they user has not entered their password.
5. The user is redirected back to the PAM UI with the SAML Assertion. The Assertion is effectively a high quality identity verification that the PAM Server can consume and then present the user with the PAM Services available to them.
Wrapping up
It took Stuart less than an hour to integrate with Radius and around two hours for the SAML integration, and as he says, most of that was setting up the ADFS environment.
The Pin Grid is a useful idea, giving you two factors in one.
As always, if you'd like to know more, please get in touch.