Updating the Federated Sign-in Module

Periodically, PAM updates its Federated Sign-in Module to support new authentication providers or to address new security protocols.

As these updates are infrequent, they are not included as part of the weekly PAM software updates.

The procedure outlined in this article should be used to update the Federated Sign-in Module when new versions are released.

As of September 2023, the latest version of the Federated Sign-in Module is 5.2.8.20230901.

As of March 2024, the latest version of the Federated Sign-in Module version 6.5 component is 6.5.5.1 20240229.

If you want to migrate from the version 5 to the version 6.5 component, please review our Migration to Federated Sign-in v6.5 guide.

Considerations

  • If possible, we would recommend you update a test environment first to become comfortable with the procedure and to test the results before updating production.
  • Any customizations that you may have made to Federated Sign-in Module will be lost during the upgrade process and will need to be manually remade after the update is complete.
  • Each PAM node where the Federated Sign-in Module is deployed will need to be updated using this procedure.

Step 1. Download and Extract Federated Sign-in Module

Download the latest supported Federated Sign-in Module for PAM to your PAM host server and extract this archive outside the $PAM_HOME directory.

If you have multiple nodes, you will need to perform this procedure on all node servers.

https://bin.xtontech.com/product/pam-cas.zip

Step 2. Stop the Pam Services

Once the service is stopped, this PAM node will become inaccessible until the update is completed.

  • For Windows deployments, stop the PamManagement service:
Copy 
net stop PamManagement
  • For Linux deployments, stop the pammanager service:
Copy 
service pammanager stop

Step 3. Updating the Federated Sign-in Module

 

Navigate to $PAM_HOME/web/webapps and move both the existing cas.war file and the /cas directory to a location outside of $PAM_HOME (do not simply rename them in place).

Once both have been moved to a location outside of $PAM_HOME, copy the new cas.war file downloaded and extracted from step 1 to this same location ($PAM_HOME/web/webapps).

Step 4. Start the Pam Services

  • For Windows deployments, start the PamManagement service:
Copy 
net start PamManagement
  • For Linux deployments, start the pammanager service:
Copy 
service pammanager start

 

During startup, PAM will automatically deploy the new Federated Sign-in Module.

This process may take several minutes to complete.

Step 5. Test and Verify

 

Once the service comes back online, you can now open the PAM login page and test authentication.

This should include all authentication methods configured in PAM, for example, local user authentication, AD authentication, SSO or MFA.

If no issues are found during testing, then the update process is complete. You may now remake any customizations that you had made previously.

You can check your Federated Sign-in Module version by logging into the PAM web console with a PAM Administrator account and navigating to the Management > About page.

Verify your version number using the value shown on the Authentication parameter.

Rollback

During testing, if you found issues with the new Federated Sign-in Module, you can rollback to your previously working version using this procedure.

If you do not need to rollback, please proceed to the next steps:

  1. Stop the PAM service as described earlier.
  2. Delete the new cas.war and /cas directory that were deployed to $PAM_HOME\web\webapps.
  3. Copy back your original cas.war and /cas directory to this location ($PAM_HOME\web\webapps).
  4. Start the PAM service as described earlier.

Step 6. Cleanup

After your testing is complete and the new Federated Sign-in Module is working as expected, you may choose to remove the following as part of the cleanup process:

  • Files downloaded in Step 1 and the extracted archive.
  • The backup copy of cas.war and the /cas directory.