Identity Provider Configuration for SAML

Identity Provider Configuration for SAML

9903
Created On 06/23/20 18:31 PM - Last Updated 06/29/20 14:08 PM


Objective
  • Provide steps on any additional action needed on SAML IdP for it to send signed SAML Responses or Assertions. 
  • Provide steps to configure a CA-issued certificate on your IdP so that you can enable the Validate Identity Provider Certificate checkbox on the firewall and Panorama.


Environment
SAML IDP

Procedure

Quick Summary:

Signed SAML Response: If the IdP you are using is ADFS, Azure AD, Google, OneLogin, PingFederate or PingOne, you do not need to take any action to send signed SAML responses or assertions. If you are using Okta or any other IdP, please check to see if you have configured your IdP to sign SAML responses or assertions. As a security best practice, you must configure your IdP to sign the SAML response, SAML assertion or both.

Enable Validate Identity Provider Certificate: In order to be able to enable the Validate Identity Provider Certificate checkbox, your IdP provider’s certificate must be issued by a Certificate Authority.  Many popular identity providers generate self-signed IdP certificates by default but ADFS, Azure AD, Okta, Ping One, and OneLogin provide a way to use CA-issued IdP Certificates. 
 

IDP Provider

Any action needed to send a signed SAML response/assertion?

Does IDP provide an option to use  certificate issued by Certificate Authority to enable Validate Identity Provider Certificate checkbox on the firewall?

ADFS

No

Yes

Azure AD

No

Yes


Duo

Yes, if you have changed the defaults.

 Duo Access Gateway has a single signing key for all SPs, so even if they did change the cert it would impact more than just their configuration with Palo Alto Networks device. Customers should upgrade their PAN-OS to PAN-OS 8.1.15, 9.0.9, 9.1.3 or later PAN-OS versions

Google Cloud Identity

No

No
 
Customers should upgrade their PAN-OS to PAN-OS 8.1.15, 9.0.9, 9.1.3 or later PAN-OS versions

Okta

Yes, if you have changed the defaults.

Yes

Ping One

No

Yes

OneLogin

No

Yes

Other IdPs

Please verify that you have configured your IdP to sign SAML responses or assertions.

Please check with the IdP administrator if you can configure CA-issued cert for the IDP Certificate.


ADFS 

Steps to configure CA-issued certificate and enable Validate Identity Provider Certificate on PAN-OS

Step 1 - Add a CA-Issued certificate as Token Signing Certificate on ADFS

Note: The IDP certificate (also called a token signing certificate)  for ADFS is global, it is not per Service Provider. If the certificate is changed, all Relying Parties in ADFS must be updated to accept the new token signing certificate.

  1. Generate a certificate using your enterprise Certificate Authority. 
  2. Follow instructions from Microsoft to add the token signing Certificate: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/add-a-token-signing-certificate
Validate the Identity Provider Certificate in your SAML IdP server profile
 

Step 2 - Import metadata and enable “Validate Identity Provider Certificate” on PAN-OS

Once a CA-issued certificate has been set up on your IdP, you must re-register the IdP within PAN-OS and Panorama. To do this:

  1. Ask your IdP administrator for IdP metadata.
  2. Import the IdP metadata into PAN-OS and/or Panorama and ensure that the Validate Identity Provider Certificate checkbox is enabled. Click OK.
  3. Create a Certificate Profile using the same CA certificate that has issued the IdP’s certificate.
  4. Add the newly created IdP Server Profile and Certificate Profile to your SAML Authentication Profile. 
  5. Commit the configuration to Panorama and/or the firewall.

Azure AD 

Steps to configure CA-issued certificate and enable Validate Identity Provider Certificate on PAN-OS 

Step 1 - Add a CA-Issued certificate as IdP Certificate on Azure AD

  1. Generate a certificate using your enterprise Certificate Authority. 
  2. Follow instructions from Azure AD to add a new CA-issued certificate https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/manage-certificates-for-federated-single-sign-on#create-a-new-certificate.
  3. Please delete the old certificate before you export the IdP metadata to complete the next step.

Step 2 - Import metadata and enable “Validate Identity Provider Certificate” on PAN-OS

Once a CA-issued certificate has been set up on your IdP, you must re-register the IdP within PAN-OS and Panorama. To do this:

  1. Ask your IdP administrator for IdP metadata.
  2. Import the IdP metadata into PAN-OS and/or Panorama and ensure that the Validate Identity Provider Certificate checkbox is enabled. Click OK.
  3. Create a Certificate Profile using the same CA certificate that has issued the IdP’s certificate.
  4. Add the newly created IdP Server Profile and Certificate Profile to your SAML Authentication Profile. 
  5. Commit the configuration to Panorama and/or the firewall.

Duo

Steps to send Signed Responses or Assertions from Duo

You can set up SAML Configuration in three ways:

  1. Application: Generic Service Provider, Protection Type: 2FA with SSO hosted by Duo (Single Sign-On)
    • No additional action is required to send signed SAML responses or assertions from Duo.
  2. Application: Palo Alto Networks, Protection Type: 2FA with SSO self-hosted (Duo Access Gateway)
    • No additional action is required to send signed SAML responses or assertions from Duo.
  3. Application: Generic Service Provider, Protection Type: 2FA with SSO self-hosted (Duo Access Gateway)
    • If you created the SAML configuration using this application, by default your SAML responses and assertions are signed. To verify that your SAML responses and/or assertions are signed: 
  1. Click on the Generic Service Provider application you created.
  1. Ensure that either Sign response, Sign assertion, or both are selected, then click Save Configuration.

Okta

Steps to send Signed Responses or Assertions from Okta

 You can set up SAML Configuration in two ways:

  Okta Integration Network (OIN) Integration:

  • If you have used any of the below integration on OIN (Okta Integration Network), no additional action is required to send signed SAML responses or assertions from Okta.
  • Palo Alto Networks - GlobalProtect 
  • Palo Alto Networks - Admin UI 
  • Palo Alto Networks - CaptivePortal 

 App Integration Wizard

  • If you created the SAML configuration using the App Integration Wizard, by default your SAML responses are signed.  To verify that your SAML responses are signed:         
  1. Click on the New Application Integration you created, and select General > SAML Settings > Edit.
Click on the New Application Integration you created, and select General > SAML Settings > Edit.
  1. Click Next, and on Configure SAML, select Show Advanced Settings
Click Next, and on Configure SAML, select Show Advanced Settings.
  1. Verify that you have configured either Response or Assertion Signature to Signed.
By default, both Response and Assertion Signature are set to Signed, and are only disabled if you have updated it manually.

Verify that you have configured either Response or Assertion Signature to Signed.

Steps to configure CA-issued certificate and enable Validate Identity Provider Certificate on PAN-OS 

Step 1 -  Add a CA-Issued certificate as IDP Certificate on Okta

Follow instructions from Okta to configure a CA-issued certificate as the IDP Certificate using the Okta documentation here: https://developer.okta.com/docs/guides/sign-your-own-saml-csr/overview/

  1. In order to complete the Sign the CSR step in the Okta documentation, you must follow your enterprise process to sign the CSR. Here is a quick guide on how to achieve this using Microsoft Certificate Authority and OpenSSL: 

 

Step 2 - Import metadata and enable “Validate Identity Provider Certificate” on PAN-OS

Once a CA-issued certificate has been set up on your IdP, you must re-register the IdP within PAN-OS and Panorama. To do this:

  1. Ask your IdP administrator for IdP metadata.
  2. Import the IdP metadata into PAN-OS and/or Panorama and ensure that the Validate Identity Provider Certificate checkbox is enabled. Click OK.
  3. Create a Certificate Profile using the same CA certificate that has issued the IdP’s certificate.
  4. Add the newly created IdP Server Profile and Certificate Profile to your SAML Authentication Profile. 
  5. Commit the configuration to Panorama and/or the firewall.​​​
OneLogin

Steps to configure CA-issued certificate and enable Validate Identity Provider Certificate on PAN-OS 

Step 1 - Add an IdP Certificate with CA flag on OneLogin

Follow instructions from OneLogin to create a certificate with a CA flag in the Basic Constraints extension:

https://onelogin.service-now.com/support?id=kb_article&sys_id=732a9943db109700d5505eea4b96192e

  • Note: You must enable the CA flag in Step 7 of the link above. That step is mandatory. 

Step 2 - Import metadata and enable “Validate Identity Provider Certificate” on PAN-OS

Once a CA-issued certificate has been set up on your IdP, you must re-register the IdP within PAN-OS and Panorama. To do this:

  1. Ask your IdP administrator for IdP metadata.
  2. Import the IdP metadata into PAN-OS and/or Panorama and ensure that the Validate Identity Provider Certificate checkbox is enabled. Click OK.
  3. Create a Certificate Profile using the same CA certificate that has issued the IdP’s certificate.
  4. Add the newly created IdP Server Profile and Certificate Profile to your SAML Authentication Profile. 
  5. Commit the configuration to Panorama and/or the firewall.
PingOne

Steps to configure CA-issued certificate and enable Validate Identity Provider Certificate on PAN-OS 

Step 1 - Add a CA-Issued certificate as IdP Certificate on PingOne

Follow instructions from PingOne to configure a CA-issued certificate as the IDP Certificate: https://docs.pingidentity.com/bundle/pingone/page/mfi1564020498415-1.html 

Step 2 - Import metadata and enable “Validate Identity Provider Certificate” on PAN-OS

Once a CA-issued certificate has been set up on your IdP, you must re-register the IdP within PAN-OS and Panorama. To do this:

  1. Ask your IdP administrator for IdP metadata.
  2. Import the IdP metadata into PAN-OS and/or Panorama and ensure that the Validate Identity Provider Certificate checkbox is enabled. Click OK.
  3. Create a Certificate Profile using the same CA certificate that has issued the IdP’s certificate.
  4. Add the newly created IdP Server Profile and Certificate Profile to your SAML Authentication Profile.
  5. Commit the configuration to Panorama and/or the firewall.


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXP&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments