How Do I Enable Third-Party IDP For My Account?

How Do I Enable Third-Party IDP For My Account?

39337
Created On 04/08/20 15:59 PM - Last Modified 05/23/22 23:36 PM


Objective
Provide procedure to enable third-party IDP.

Environment
CSP

Procedure

CSP Domain Administrators may work with their Systems Engineer to have the Third Party IDP feature activated in their account.   Onboarding is performed in conjunction with Palo Alto Networks Single-Sign-On Administrators.  

 How is the Domain Administrator role assigned and what permissions does this role have? 

 For existing accounts the DA role has been automatically assigned to all active users who have both the Super User  role in the CSP and  Account Admin  role in the hub.  
  • When s new CSP account is created, the first user added to the account is automatically assigned the DA and Super User roles in the CSP and Account Admin  role in the hub.  
    • Only a Domain Administrator can assign or remove the DA role from another user. 
    • To receive the DA role, the user must already have the CSP Super User and hub Account Admin roles.  
    • There must be at least one DA in each CSP account.
    • Attempting to revoke your DA privileges when you are the only DA on the account will result in a message warning that you must delegate the role to another Super User. 

How will Users Log in When Third-Party IDP is Configured?

All non-DA CSP members who have a third-party IDP configured by their Domain Administrator will log in to their account using the credentials configured with their identity provider.  They will no longer receive the Palo Alto Networks Single-Sign-On (SS)) page. 

Note:  The Domain Administrator will always log in through the Palo Alto Networks SSO login and will either authenticate through email verification, Google Authenticator or Okta Verify  This is a security measure to ensure that the User ID is still that of a designated DA. 

Adding New Members to an Account Enabled for Third-Party IDP  

Once a third-party IDP is configured for a particular domain,  additional users will be added using the Manage Users link under the Members tab.   Attempts to use  the Create New User option will result in the following message. 

“Your domain is configured for third-party IDP. Please click the 'Add User to Account" button under "Manage Users.”" to add a new member to your account.


Prior to setting up the third-party IDP,  the Create New User option may be used. 

Any new 3IDP user in the CSP must fill in and save the the profile info form (Name, address, phone number) that displays upon first login. This will push the user information into the appropriate systems and establish their membership in the CSP. If this info is not saved,  data is not propagated to the various systems using the SSO  - Support Cases, Beacon etc, and you will get a SAML or SSO error. 
    
Note: 
- It is easy to accidentally bypass this form by clicking another option on the left navigation bar, so make sure you fill in the form at the first CSP login. 
- It can take up to 20 minutes for the new user data to be propagated to all the necessary systems causing various SAML and SSO errors if immediately trying to access Support Cases or Beacon for example.  

The domain administrator  'domainadminuser@gcsdemo.com’will still be prompted to authenticate using Palo Alto Networks SSO.
 


Note:   
   
  
  • The "create new user option" should be used to add new members to your account only if they are still required to authenticate via Palo Alto Networks’s SSO.( Example: Domain Administrator)

  • "Add members" option should be used to add users with email addresses already configured for their particular domain 

  • An account can have several members with different domains.  

  • Super user approval checks for new members will still be enforced for self registration.

  • User who authenticate using third Party IDP will bypass Palo Alto Networks MFA authentication (They will no longer see the Security Settings under their My Profile page)

 



Additional Information
When the customer enables Third Party IDP, it is across the board for all users on the account. It cannot be removed for individual users.

Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPXXCA4&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language