How to authenticate administrators to different vsys via SAML2.0
Objective
- This article will cover the configuration to allow each administrator access to certain vsys when authentication is based on SAML2.0. This is based on the admin role and access domain features.
- The feature works slightly differently on a multi-vsys NGFW than on Panorama (see additional notes).
Environment
- Multi-vsys Firewalls
- Supported PAN-OS
- SAML2.0
Procedure
OKTA CONFIGURATION
1. Configure PAN Admin UI Application
Applications > Browse App Catalog > Search for Palo Alto Networks - Admin UI.
Enter exact URL used to access the device. No matter whether it's a FQDN or an IP address.
2. Export metadata
Applications > Palo Alto Networks - Admin UI for FW > Sign On tab, export the metadata file.
For instance, use the copy link, paste on any web-browser and download the file.
3. Add the custom attributes to the application profile
Directory > Profile Editor > Edit the profile assigned to the PAN Admin UI Application.
In the profile, create custom attributes with following variable names:
- adminrole
- accessdomain
4. Assign users to the Application
Applications > The one just created > Assignments > Click Assign button and search for users.
When assigning any user to the Application, Admin Role and Access Domain are prompted:
For this example, assignments will be:
Username / Admin Role / Access Domain
user11 / vsys-admin-role / ad-for-vsys1
user12 / vsys-admin-role / ad-for-vsys2-3
user15 / vsys-admin-role / ad-for-all-vsys
NGFW CONFIGURATION
1. Configure Access Domains
Device > Access Domains > Click Add
 |  |
Assign vsys to each access domain as your preference.
2. Configure Admin Role
Device > Admin Roles > Click Add
The type of Admin Role must be Virtual System.
3. Create a new SAML profile importing metadata file from IdP
Device > Server Profiles > SAML Identity Provider > Click Import and browse to the metadata file previously downloaded.
Note: Validate Identity Provider Certificate is not checked in this example. It doesn't mean that it should be disabled.
4. Create a new Authentication Profile selecting the SAML profile
Device > Authentication Profile > Click Add and select type SAML. Put this profile on shared Location. It's very important to enter the Admin Role and Access Domain Attribute with the same spelling that was named on Okta.
5. Assign the authentication profile to the management service
Device > Setup > Management tab > Click to edit Authentication Settings and add the new profile and then commit.
When configuration changes are applied and access to login to NGFW admin UI, a new option appears to use Single Sign-On, just below the Log In button.
OUTCOME
When user logon, they just can view the assigned vsys configurations. See additional notes for Admin Roles customization.
|
|
Additional Information
For verification purposes, authentication can be checked on System logs from the UI: Monitor > Logs > System
Checking from CLI it's also useful if any issue is present:
> less mp-log authd.log
2024-10-23 01:26:02.579 -0700 debug: pan_auth_send_saml_resp(pan_auth_server.c:1164): Succeed to cache role/adomain vsys-admin-role/ad-for-all-vsys for user user15@example.local
2024-10-23 01:26:02.579 -0700 SAML SSO authenticated for user 'user15@example.local'. auth profile 'saml-auth-profile', vsys 'shared', server profile 'okta-admins-saml-profile', IdP entityID 'http://www.okta.com/XXXXXXXXXXXXXXXXXXXX', admin role 'vsys-admin-role', access domain 'ad-for-all-vsys'
Additional references: