CA PAM, F5 Load Balancer, SSO

Document ID : KB000098103
Last Modified Date : 26/05/2018
Show Technical Document Details
Issue:
We've tried a couple of load balancer configurations without luck:
1. Have the load balancer send traffic to the PAM servers. This works, however it breaks SSO logon I believe because the URL in the address bar/headers doesn't match what we send over to the SSO system. We were able to work around the issue by setting the FQDN in the SAML configuration to be the load balancer URL, however that breaks direct SSO logins to the boxes which are needed for admins.
2. The load balancer redirects to the PAM servers in round-robin fashion. This causes the URL in the address bar/headers to match during the SSO process and makes things behave, except in the PAM Client where you cannot connect and receive a message "Please make sure that you are connected to a CA Privileged Access Manager server."

We would like to go with the second option but need the PAM client to work.
Cause:
The load balancer redirected to URL https://<PAM server>. This works fine with the browser. The PAM client uses more specific URLs to make the PAM server aware of the fact that it's the PAM client connecting, not a browser. A sample URL is "https://<Load Balancer FQDN>/client/structure.php?os=win".
Resolution:
Configure the load balancer to redirect using the full URL, in the above example "https://<Selected PAM node>/client/structure.php?os=win".