Securing your SAML Deployments

Securing your SAML Deployments

39777
Created On 06/23/20 18:12 PM - Last Updated 06/30/20 18:17 PM


Objective
If you are a Palo Alto Network customer and do not use SAML on your NGFW, VM-Series, Panorama devices, or on Prisma Access, you are NOT IMPACTED by CVE-2020-2021 PAN-OS: Authentication Bypass in SAML Authentication.
 
  1. Check if you are using SAML
  2. If you are using SAML, apply mitigations if your SAML Identity Provider allows it 
  3. Consider immediately upgrading NGFW, Panorama and VM-Series firewalls to the latest maintenance versions of PAN-OS


Environment
  • NGFW, VM-Series
  • Panorama
  • GlobalProtect Portal/Gateway
  • Prisma Access
  • SAML


Procedure
Decision Tree for Securing your SAML deployments


 

For Panorama, NGFW, VM-Series Customers (including GlobalProtect)

Configuration

Next Steps

If SAML is NOT configured

[check your configuration]

No action required. Stop.

If SAML is configured

Solution - With Upgrade

Solution - Without Upgrade

Before you upgrade
  • Ensure that you configure the signing certificate of your SAML Identity Provider as the Identity Provider Certificate.
  • Ensure that your SAML IdP sends signed SAML Responses, Assertions or both.
Upgrade immediately to PAN-OS 8.1.15, 9.0.9, 9.1.3 (as applicable), or later releases. 
  • We recommend prioritizing Global Protect Gateways and Portals over upgrading other Firewalls/Panorama.
After you upgrade
  • Invalidate previously issued GlobalProtect Auth Override Cookies 
  • Invalidate users who were previously authenticated through Captive Portal/Authentication Portal

Your IdP must allow CA-issued certificates to apply these mitigations and reduce risk. Verify this first with your IdP administrator before proceeding.

  • Ensure that your SAML IdP sends signed SAML Responses, Assertions or both.
  • Ensure that you configure the signing certificate of your SAML Identity Provider as the Identity Provider Certificate.
  • Ensure that you have enabled Validate Identity Provider Certificate on PAN-OS/Panorama
  • Invalidate previously issued GlobalProtect Auth Override Cookies 
  • Invalidate sessions of administrators who were previously authenticated through SAML Admin Authentication.
  • Invalidate users who were previously authenticated through Captive Portal/Authentication Portal


 
 

For Prisma Access Customers

Configuration

Next Steps

If SAML is NOT configured

[check your configuration]

No action required. Stop.

If SAML is configured

Prisma Access upgrade completed on Jun 29, 2020 - 05:01 UTC

After you upgrade:
  • For Prisma Access Panorama Managed
    • Invalidate previously issued GlobalProtect Auth Override Cookies
  • For Prisma Access Cloud Managed
    • No action required. Stop.


Technical Details & How To

1. Check if SAML is configured
 
When using Panorama

Step 1
Check whether SAML authentication is enabled for Panorama administrator authentication. Navigate to Panorama > Server Profiles > SAML Identity Provider:
  • If you don’t see any profiles, then you haven’t configured SAML. Proceed to Step 2.
  • If you see profiles then you are using SAML. Immediate action is required to upgrade to the latest maintenance release, or apply suggested configuration to mitigate if an upgrade is not possible.
Check whether SAML authentication is enabled for Panorama administrator authentication.

Step 2
Check whether SAML authentication is enabled for firewalls managed by Panorama. Navigate to Device > [template] > Server Profiles > SAML Identity Provider. Check each Template. 
  • If you don’t see any profiles, then you haven’t configured SAML. Immediate action is not required. Please plan to upgrade to the latest maintenance release of PAN-OS at the earliest convenience.
  • If you see profiles then you are using SAML. Immediate action is required to upgrade to the latest maintenance release, or apply suggested configuration to mitigate if an upgrade is not possible.  
 
Check whether SAML authentication is enabled for firewalls managed by Panorama.

When using NGFWs only (no Panorama)

On each firewall, check whether SAML authentication is enabled for firewalls. Navigate to Device > Server Profiles > SAML Identity Provider. 
  • If you don’t see any profiles, then you haven’t configured SAML. Immediate action is not required. Please plan to upgrade to the latest maintenance release of PAN-OS at the earliest.
  • If you see profiles then you are using SAML.Immediate action is required to upgrade to the latest maintenance release, or apply suggested configuration to mitigate if an upgrade is not possible.  
On each firewall, check whether SAML authentication is enabled for firewalls.
 

2. Solution without Upgrade
 
For Panorama, NGFW, VM-Series Customers (including GlobalProtect)

Before you proceed:
  • To apply this mitigation, you need the signing certificate used by your IdP to be a Certificate Authority (CA) issued certificate.
  • Many popular IdP providers issue a self-signed certificate by default but provide options to use a certificate issued by your CA. While some IdPs like Azure provide UI options to upload CA-issued certificates, others like Okta might need you to make API calls. We recommend that you first review the links provided in Step 3 with your IdP Administrator to determine the feasibility of this mitigation.
  • CA-issued certificates cannot be used if your IdP is Duo Access Proxy or Google Cloud Identity. Immediate action is required to upgrade to the latest maintenance release of PAN-OS.
  • If using GlobalProtect Authentication Override Cookies, the authentication override cookies issued prior to the PAN-OS upgrade may still be valid. To terminate those sessions and force the users to re-login, it is required to change the certificate used to encrypt and decrypt the Authentication Override cookie on the GlobalProtect portal and gateways using Panorama or the firewall web interface, and commit the changes to the firewalls running the GlobalProtect Portals & Gateways.
  • Reboot the GlobalProtect Portals and Gateways to disconnect any existing sessions.
Step 5 - Invalidate sessions of administrators users who were previously authenticated through SAML Admin Authentication

Please note: Restarting firewalls and Panorama eliminates any unauthorized sessions on the web interface. If you have restarted the firewall/Panorama, the following steps are not necessary.
  • If you are using SAML for Admin Authentication and have not restarted the firewall/Panorama, run the following commands:
  • To delete all admin sessions: 
    • delete admin-sessions
  • To find admins authenticated via UI and delete those admin sessions:
    • show admins 
    • delete admin-sessions username <admin-username>

Step 6 - Invalidate users who were previously authenticated through Captive Portal/Authentication Portal
  • If using Captive Portal or Authentication Portal, run the following commands: 
    • show user ip-user-mapping all type SSO 
    • clear user-cache-mp <above IP-addresses>
    • clear user-cache <above IP-addresses> 

Stop here if you have completed the implementation of the solution that does not include upgrading Panorama, NGFW, or VM-Series (including GlobalProtect).
 

3.  Solution with Upgrade

For Panorama, NGFW, VM-Series Customers (including GlobalProtect)

Before you Upgrade:

Step 1 - Verify that your IdP is signing SAML responses and/or assertions

Step 2 - Check if SAML IdP Server Profiles are set up with IDP Certificate certificate


Upgrade PAN-OS:

We recommend prioritizing upgrading Global Protect Gateways and Portals over upgrading other Firewalls/Panorama.

Step 3 - Consult the Release Notes for the latest maintenance release of PAN-OS:

Follow instructions in the specific Release Notes to upgrade your NGFW, VM-Series, or Panorama appliances to the latest maintenance release.

After you upgrade PAN-OS:

Step 4 - Invalidate previously issued GlobalProtect Auth Override Cookies 

  • If using GlobalProtect Authentication Override Cookies, the authentication override cookies issued prior to the PAN-OS upgrade may still be valid. To terminate those sessions and force the users to re-login, it is required to change the certificate used to encrypt and decrypt the Authentication Override cookie on the GlobalProtect portal and gateways using Panorama, then commit the changes to the firewalls running the GlobalProtect Portals & Gateways.
  • Reboot the GlobalProtect Portals and Gateways to disconnect any existing sessions.

Step 5 - Invalidate users who were previously authenticated through Captive Portal/Authentication Portal
  • If using Captive Portal or Authentication Portal, run the following commands: 
    • show user ip-user-mapping all type SSO 
    • clear user-cache-mp <above IP-addresses>
    • clear user-cache <above IP-addresses> 
Stop here if you have completed the implementation of the solution to upgrade Panorama, NGFW, or VM-Series (including GlobalProtect).

Prisma Access Customers using Panorama to manage Prisma Access Firewalls

Prisma Access upgrade completed on Jun 29, 2020 - 05:01 UTC


After the Prisma Access Upgrade:

Step 1 - Invalidate previously issued GlobalProtect Auth Override Cookies

If using GlobalProtect Authentication Override Cookies, the authentication override cookies issued prior to the Prisma Access upgrade may still be valid. To terminate those sessions and force the users to re-login, it is required to change the certificate used to encrypt and decrypt the Authentication Override cookie on the GlobalProtect portal and gateways using Panorama and commit and push the changes.

After you have made the previous changes, Prisma Access automatically logs out old GlobalProtect user sessions, and the GlobalProtect App on the endpoint will re-authenticate the user to establish a new connection.
 
Stop here if you have completed the implementation of the solution to upgrade Panorama, NGFW, or VM-Series (including GlobalProtect).

Referenced Documentation


Verify that your IdP is signing SAML responses and/or assertions
  • If you are using Microsoft ADFS, Microsoft Azure, Google Cloud Identity, OneLogin, PingFederate, or PingOne as your SAML IdP, proceed to the next step.
  • If you are using Okta or any other IdP, verify that your IdP is signing SAML responses and/or assertions. As a security best practice, you must configure your IdP to sign the SAML response, the SAML assertion, or both.
 

SAML IdP Provider

Action

  • ADFS
  • Azure AD
  • Google
  • OneLogin
  • PingFederate
  • Ping One

SAML Responses and/or Assertions are signed.  Proceed to the next step

Okta

Proceed to the next step if you have used any of the below Integrations on OIN(Okta Integration Network) to setup SAML profile

  • Palo Alto Networks - GlobalProtect
  • Palo Alto Networks - Admin UI
  • Palo Alto Networks - CaptivePortal
Action required, if you have set up the SAML configuration in Okta using App Integration Wizard. Ensure that you are sending signed responses, signed assertions, or both.

Duo Access Gateway

Proceed to the next step if you are using Palo Alto Networks integration on Duo Access Gateway.

Action required if you have set up the SAML Configuration using Generic Service Provider integration on Duo Access Gateway. Ensure that you are sending signed responses, signed assertions, or both

Other IdPsPlease verify that you have configured your IdP to sign SAML responses, assertions, or both.

Return to Solution without Upgrade
Return to Solution with Upgrade


Check if SAML IdP Server Profiles are set up with IDP certificate

Ensure that the IdP Certificate is configured across all SAML IdP profiles on the firewall and Panorama that are used to authenticate to GlobalProtect, Captive & Authentication Portals, and the administrative web interface.
  • Verify that you have selected the Identity Provider Certificate that your IdP uses to sign SAML messages.
  • If you do not have your Identity Provider (IdP) certificate available in the drop-down, you must add one. Use the instructions in Step 2 in this link.
Image of SAML IdP Server Profile

Check if “Validate Identity Provider Certificate” is enabled

Ensure that Validate Identity Provider Certificate is configured across all SAML IdP profiles on the firewall and Panorama that are used to authenticate to GlobalProtect, Captive & Authentication Portals, and the administrative web interface. If this is enabled, no further actions are needed.

To enable Validate Identity Provider Certificate, you will need the signing certificate used by your IdP to be issued by a Certificate Authority (CA). While popular IdPs issue a self-signed certificate by default, they generally allow you to use a certificate issued by your CA. Some IdPs like Azure provide UI options to upload CA-issued certificates, and others like Okta need you to make API calls to use your own certificate. Talk to your IdP administrator to ensure that the IdP is configured correctly to enable this. 

Here are a few helpful links to guide the conversation with your IdP administrator:
 

SAML IdP Provider

 Links

ADFSAdditional Guidance
Azure AD
 
Additional Guidance
Duo Access Gateway
 
Customers should upgrade to PAN-OS 8.1.15, 9.0.9, 9.1.3 or later.
 
Google Cloud Identity
 
Customers should upgrade to PAN-OS 8.1.15, 9.0.9, 9.1.3 or later.
 
OktaAdditional Guidance
Ping One
 
Additional Guidance
OneLoginAdditional Guidance
Other IdPs
 
Once a CA-issued certificate has been configured on your IdP,
you must re-register the IdP within PAN-OS and Panorama. To do this:
  1. Ask your IdP administrator for IdP metadata.
  2. Import the IdP metadata into PAN-OS and/or Panorama, ensure that the Validate Identity Provider Certificate checkbox is enabled, then click OK to save the SAML IdP server profile.
  3. Create a Certificate Profile using the same CA certificate that has issued the IdP’s certificate.
  4. Add the newly created IdP Server Profile and Certificate Profile to your SAML Authentication Profile. 
  5. Commit the configuration to Panorama and/or the firewalls.
 
 
Once a CA-issued certificate has been configured on your IdP, you must re-register the IdP within PAN-OS and Panorama.
 
Return to Solution without Upgrade
Return to Solution with Upgrade


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments