How to design and manage high number of SAML Custom Applications on GlobalProtect?

How to design and manage high number of SAML Custom Applications on GlobalProtect?

6636
Created On 06/13/23 21:38 PM - Last Modified 06/16/23 19:58 PM


Objective


  • OKTA IdP provider has a limit for Maximum Limit on Requestable SSO URLs for SAML Application, that is, it only supports up to 100 custom applications.
  • Some customer environments may have more than 100 SSO URL as a mix of Portals, Gateways and Firewall/Panorama management login; this limitation on OKTA doesn't help the customer to have good design for their environment.

Environment


  • PAN-OS Firewall 10.1 and higher
  • Cloud Authentication Service (CAS) SAML authentication
  • OKTA IdP provider
  • On-prem GlobalProtect Portals and gateways
  • Panorama managed Prisma Access

Procedure


  1. To design this kind of environment, we need to consider using Cloud Identity Engine (CIE)
  2. With CIE in the design, the Network Administrator could create a Gallery Application on OKTA side and integrate it with CIE
  3. The CIE will act as a bridge between the users who are accessing the portals, gateways or Firewall/Panorama management login from one side and OKTA IdP from the other side
  4. So, OKTA side will not run out of applications and this will simplify the way for user authentication
  5. The detailed procedure of the Gallery Application configuration is listed on this link 

Additional Information


The Okta IdP provider has a workaround for this issue shown on this link, so it is better to discuss this limitation with the IdP provider
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000bq2nCAA&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language