How to configure Authentication policies when Captive Portal with SAML authentication in Palo Alto Networks firewall.

How to configure Authentication policies when Captive Portal with SAML authentication in Palo Alto Networks firewall.

32097
Created On 07/02/20 06:58 AM - Last Modified 08/01/20 02:23 AM


Objective


This article explains additional caveat to configure Authentication Policies.
To know the fundamental configuration for SAML configuration, please see the following section in PAN-OS Administrator's Guide.
 

Environment


  • Configure Captive Portal with SAML Authentication.
  • Traffic to IdP for SAML path through the firewall.

Procedure


  1. Configure Authentication policy for SAML Authentication by following the steps in the documentation Configure SAML Authentication
  1. An example configuration is described below.
User-added image
  • In the screenshot, "CP-Auth-Rule" is configured.
  • However, if only "CP-Auth-Rule" is configured without the Exclude-Auth-rule, the Request to IdP also matches the "CP-Auth-Rule" and it never reaches to the IdP.
  • To avoid the situation, configure another Authentication Policy which excludes traffic from Service Provider (It is Captive Portal in this scenario) to IdP from matching Captive Portal.
  • It is "Exclude-Auth-rule" in the screenshot.
User-added image
  • Set "default-no-captive-portal" in Authentication Enforcement, and apply "Custom URL Category" which includes URL of IdP.
  • Then, locate it upper to "CP-Auth-Rule". 
  • Request to IdP is excluded from processing Captive Portal by "Exclude-Auth-rule".
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UeaCAE&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language