Identity Provider Configuration for SAML
Objective
- Provide steps on any additional action needed on SAML IdP for it to send signed SAML Responses or Assertions.
- Provide steps to configure a CA-issued certificate on your IdP so that you can enable the Validate Identity Provider Certificate checkbox on the firewall and Panorama.
Environment
SAML IDP
Procedure
Quick Summary:
Signed SAML Response: If the IdP you are using is ADFS, Azure AD, Google, OneLogin, PingFederate or PingOne, you do not need to take any action to send signed SAML responses or assertions. If you are using Okta or any other IdP, please check to see if you have configured your IdP to sign SAML responses or assertions. As a security best practice, you must configure your IdP to sign the SAML response, SAML assertion or both.
Enable Validate Identity Provider Certificate: In order to be able to enable the Validate Identity Provider Certificate checkbox, your IdP provider’s certificate must be issued by a Certificate Authority. Many popular identity providers generate self-signed IdP certificates by default but ADFS, Azure AD, Okta, Ping One, and OneLogin provide a way to use CA-issued IdP Certificates.
IDP Provider |
Any action needed to send a signed SAML response/assertion? |
Does IDP provide an option to use certificate issued by Certificate Authority to enable Validate Identity Provider Certificate checkbox on the firewall? |
ADFS |
No | |
Azure AD |
No | |
Duo |
Duo Access Gateway has a single signing key for all SPs, so even if they did change the cert it would impact more than just their configuration with Palo Alto Networks device. Customers should upgrade their PAN-OS to PAN-OS 8.1.15, 9.0.9, 9.1.3 or later PAN-OS versions | |
Google Cloud Identity |
No |
No |
Okta | ||
Ping One |
No | |
OneLogin |
No | |
Other IdPs |
Please verify that you have configured your IdP to sign SAML responses or assertions. |
Please check with the IdP administrator if you can configure CA-issued cert for the IDP Certificate. |
ADFS
Steps to configure CA-issued certificate and enable Validate Identity Provider Certificate on PAN-OS
Step 1 - Add a CA-Issued certificate as Token Signing Certificate on ADFS
Note: The IDP certificate (also called a token signing certificate) for ADFS is global, it is not per Service Provider. If the certificate is changed, all Relying Parties in ADFS must be updated to accept the new token signing certificate.
- Generate a certificate using your enterprise Certificate Authority.
- Follow instructions from Microsoft to add the token signing Certificate: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/add-a-token-signing-certificate
Step 2 - Import metadata and enable “Validate Identity Provider Certificate” on PAN-OS
Once a CA-issued certificate has been set up on your IdP, you must re-register the IdP within PAN-OS and Panorama. To do this:
- Ask your IdP administrator for IdP metadata.
- Import the IdP metadata into PAN-OS and/or Panorama and ensure that the Validate Identity Provider Certificate checkbox is enabled. Click OK.
- Create a Certificate Profile using the same CA certificate that has issued the IdP’s certificate.
- Add the newly created IdP Server Profile and Certificate Profile to your SAML Authentication Profile.
- Commit the configuration to Panorama and/or the firewall.
Azure AD
Steps to configure CA-issued certificate and enable Validate Identity Provider Certificate on PAN-OS
Step 1 - Add a CA-Issued certificate as IdP Certificate on Azure AD
- Generate a certificate using your enterprise Certificate Authority.
- Follow instructions from Azure AD to add a new CA-issued certificate https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/manage-certificates-for-federated-single-sign-on#create-a-new-certificate.
- Please delete the old certificate before you export the IdP metadata to complete the next step.
Step 2 - Import metadata and enable “Validate Identity Provider Certificate” on PAN-OS
Once a CA-issued certificate has been set up on your IdP, you must re-register the IdP within PAN-OS and Panorama. To do this:
- Ask your IdP administrator for IdP metadata.
- Import the IdP metadata into PAN-OS and/or Panorama and ensure that the Validate Identity Provider Certificate checkbox is enabled. Click OK.
- Create a Certificate Profile using the same CA certificate that has issued the IdP’s certificate.
- Add the newly created IdP Server Profile and Certificate Profile to your SAML Authentication Profile.
- Commit the configuration to Panorama and/or the firewall.
Steps to send Signed Responses or Assertions from Duo
You can set up SAML Configuration in three ways:
- Application: Generic Service Provider, Protection Type: 2FA with SSO hosted by Duo (Single Sign-On)
- No additional action is required to send signed SAML responses or assertions from Duo.
- Application: Palo Alto Networks, Protection Type: 2FA with SSO self-hosted (Duo Access Gateway)
- No additional action is required to send signed SAML responses or assertions from Duo.
- Application: Generic Service Provider, Protection Type: 2FA with SSO self-hosted (Duo Access Gateway)
- If you created the SAML configuration using this application, by default your SAML responses and assertions are signed. To verify that your SAML responses and/or assertions are signed:
- Click on the Generic Service Provider application you created.
- Ensure that either Sign response, Sign assertion, or both are selected, then click Save Configuration.
Okta
Steps to send Signed Responses or Assertions from Okta
You can set up SAML Configuration in two ways:
Okta Integration Network (OIN) Integration:
- If you have used any of the below integration on OIN (Okta Integration Network), no additional action is required to send signed SAML responses or assertions from Okta.
- Palo Alto Networks - GlobalProtect
- Palo Alto Networks - Admin UI
- Palo Alto Networks - CaptivePortal
App Integration Wizard
- If you created the SAML configuration using the App Integration Wizard, by default your SAML responses are signed. To verify that your SAML responses are signed:
- Click on the New Application Integration you created, and select General > SAML Settings > Edit.
- Click Next, and on Configure SAML, select Show Advanced Settings
- Verify that you have configured either Response or Assertion Signature to Signed.
Steps to configure CA-issued certificate and enable Validate Identity Provider Certificate on PAN-OS
Step 1 - Add a CA-Issued certificate as IDP Certificate on Okta
Follow instructions from Okta to configure a CA-issued certificate as the IDP Certificate using the Okta documentation here: https://developer.okta.com/docs/guides/sign-your-own-saml-csr/overview/
- In order to complete the Sign the CSR step in the Okta documentation, you must follow your enterprise process to sign the CSR. Here is a quick guide on how to achieve this using Microsoft Certificate Authority and OpenSSL:
- Using Microsoft Certificate Authority: Save the CSR obtained from the Generate a certificate signing request (CSR) step in the Okta documentation and use the instructions on MSFT Technet site to sign the CSR. Signing the CSR creates a signed certificate that you must pass back to Okta in the Publish the CSR step in the Okta documentation.
- Using OpenSSL: Save the CSR obtained from the Generate a certificate signing request (CSR) step in the Okta documentation and use the OpenSSL CA command to sign the CSR which creates a signed certificate that you need to pass back to Okta in the next step, Publish the CSR. An example of the command is shown below, but please refer to the OpenSSL documentation for more information.
- openssl ca -config <openssl config file> -in <CSR obtained above> -out <certificate.cer>
Step 2 - Import metadata and enable “Validate Identity Provider Certificate” on PAN-OS
Once a CA-issued certificate has been set up on your IdP, you must re-register the IdP within PAN-OS and Panorama. To do this:
- Ask your IdP administrator for IdP metadata.
- Import the IdP metadata into PAN-OS and/or Panorama and ensure that the Validate Identity Provider Certificate checkbox is enabled. Click OK.
- Create a Certificate Profile using the same CA certificate that has issued the IdP’s certificate.
- Add the newly created IdP Server Profile and Certificate Profile to your SAML Authentication Profile.
- Commit the configuration to Panorama and/or the firewall.
Steps to configure CA-issued certificate and enable Validate Identity Provider Certificate on PAN-OS
Step 1 - Add an IdP Certificate with CA flag on OneLogin
Follow instructions from OneLogin to create a certificate with a CA flag in the Basic Constraints extension:
https://onelogin.service-now.com/support?id=kb_article&sys_id=732a9943db109700d5505eea4b96192e
- Note: You must enable the CA flag in Step 7 of the link above. That step is mandatory.
Step 2 - Import metadata and enable “Validate Identity Provider Certificate” on PAN-OS
Once a CA-issued certificate has been set up on your IdP, you must re-register the IdP within PAN-OS and Panorama. To do this:
- Ask your IdP administrator for IdP metadata.
- Import the IdP metadata into PAN-OS and/or Panorama and ensure that the Validate Identity Provider Certificate checkbox is enabled. Click OK.
- Create a Certificate Profile using the same CA certificate that has issued the IdP’s certificate.
- Add the newly created IdP Server Profile and Certificate Profile to your SAML Authentication Profile.
- Commit the configuration to Panorama and/or the firewall.
Steps to configure CA-issued certificate and enable Validate Identity Provider Certificate on PAN-OS
Step 1 - Add a CA-Issued certificate as IdP Certificate on PingOne
Follow instructions from PingOne to configure a CA-issued certificate as the IDP Certificate: https://docs.pingidentity.com/bundle/pingone/page/mfi1564020498415-1.html
Step 2 - Import metadata and enable “Validate Identity Provider Certificate” on PAN-OS
Once a CA-issued certificate has been set up on your IdP, you must re-register the IdP within PAN-OS and Panorama. To do this:
- Ask your IdP administrator for IdP metadata.
- Import the IdP metadata into PAN-OS and/or Panorama and ensure that the Validate Identity Provider Certificate checkbox is enabled. Click OK.
- Create a Certificate Profile using the same CA certificate that has issued the IdP’s certificate.
- Add the newly created IdP Server Profile and Certificate Profile to your SAML Authentication Profile.
- Commit the configuration to Panorama and/or the firewall.