How Do I Enable Third-Party IDP For My Account?
Provide procedure to enable third-party IDP.
Note: This feature is currently available to customers by request through their Systems Engineer. Onboarding is performed in conjunction with Palo Alto Networks Single-Sign-On Administrators.
Enabling the Third-Party IDP (Identity Provider) option in the Customer Support Portal (CSP) allows account members to log in using their own corporate credentials. Since third-party IDP is set up at the domain level, members may belong to and log into multiple CSP accounts using their corporate SSO.
A user must have the Domain Administrator (DA) role in the CSP to be able to configure third-party IDP access for their account.
To enable a third-party IDP, navigate to the Account Details page in the CSP and click View Single-Sign-On Settings for your domain in the Account Details page as shown below.
This workflow takes you to accounts.paloaltonetworks.com, where you can enter required fields (provided by your identity provider) in the form shown below to set up your SSO configuration.
For more information on RBAC, refer to RBAC technical documentation
How is the Domain Administrator role assigned and what permissions does this role have?
For existing accounts the DA role has been automatically assigned to all active users who have both the Super User role in the CSP and Account Admin role in the hub.
- When s new CSP account is created, the first user added to the account is automatically assigned the DA and Super User roles in the CSP and Account Admin role in the hub.
- Only a Domain Administrator can assign or remove the DA role from another user.
- To receive the DA role, the user must already have the CSP Super User and hub Account Admin roles.
- There must be at least one DA in each CSP account.
- Attempting to revoke your DA privileges when you are the only DA on the account will result in a message warning that you must delegate the role to another Super User.
How will Users Log in When Third-Party IDP is Configured?
All non-DA CSP members who have a third-party IDP configured by their Domain Administrator will log in to their account using the credentials configured with their identity provider. They will no longer receive the Palo Alto Networks Single-Sign-On (SS)) page.
The DA may set up third-party IDP for multiple domains so that those users also authenticate using their own corporate credentials. Any user whose domain is not enabled for third-party IDP will continue to receive the Palo Alto Networks SSO login.
Note: The Domain Administrator will always authenticate through the Palo Alto Networks SSO login. This is a security measure to ensure that the User ID is still that of a designated DA.
Any user upgraded to a DA role will also have to authenticate through the Palo Alto Networks SSO and will receive an account activation email from Palo Alto Networks.
Adding New Members to an Account Enabled for Third-Party IDP
Once a third-party IDP is configured for a particular domain, additional users will be added using the Manage Users link under the Members tab. Attempts to use the Create New User option will result in the following message.
“Your domain is configured for third-party IDP. Please click the 'Add Members" button under "Manage Users.”" to add a new member to your account.
Prior to setting up the third-party IDP, the Create New User option may be used.
As an example, if the DA configured all users with the domain “@gcsdemo.com” to authenticate using Onelogin, all email addresses with the domain “gscdemo.com” can be added directly from the Members page in the CSP.
User email@example.com, will now authenticate using the IDP setup for their domain as shown below
However, the domain administrator 'firstname.lastname@example.org’will still be prompted to authenticate using Palo Alto Networks SSO.
The create new user option should be used to add new members to your account only if they are still required to authenticate via Palo Alto Networks’s SSO.( Example: Domain Administrator)
Add members option should be used to add users with email addresses already configured for their particular domain
An account can have several members with different domains.
Super user approval checks for new members will still be enforced for self registration.
User who authenticate using third Party IDP will bypass Palo Alto Networks MFA authentication (They will no longer see the Security Settings under their My Profile page)
When the customer enables Third Party IDP, it is across the board for all users on the account. It cannot be removed for individual users.