How to configure Microsoft Entra ID (Formerly Azure Active Directory (Azure AD)) as IDP for PANW Apps/CSP

Customer would like to convert support.paloaltonetworks.com to Microsoft Entra ID (Formerly Azure Active Directory (Azure AD))  based SSO

Refer below link for pre-requisites and PANW SSO configuration.

1. Follow the steps documented in the below KB article to get the PANW Service Provider Information. If you don't have the IDP information, you can configure dummy URLs and a dummy certificate to get the SP information. 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sZ8mCAE

2. Once you have completed the IDP configuration on Azure (detailed steps below), you can come back to the PANW portal and edit the IDP information to complete the SSO setup handshake. 

Follow these steps to enable Microsoft Entra ID SSO in the Azure portal.

1. In the Azure portal, on the Enterprise application → click on create new application and select Non-gallery application, find the Manage section and select single sign-on.
2. On the Select a single sign-on method page, select SAML.
3. On the Set up single sign-on with SAML page, click the pencil icon for Basic SAML Configuration to edit the settings.
   
4. On the Basic SAML Configuration section, perform the following steps: 
   1. Copy the Entity ID URL and Identity SSO URL from Palo Alto Networks service provider information: 
   2. In the Identifier(Entity URL) text box, paste the Entity ID URL from the portal
   3. In the Reply URL text box, type the URL: paste the Identity SSO URL from the PANW portal
5. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find Certificate (Base64) and select Download to download the certificate and save it on your computer.
   
6. Attribute Mapping
   1. Select the 'edit' icon beside "User attributes and claims" section to display and manage the Required & additional claims.
   2. Unique User Identifier (NameID)
      • Value: Configure email address to be sent in the Name Identifier
      • Format: Configure the Name ID format as “Unspecified”
   3. Additional Claims 
      • firstName: First Name of the user
      • lastName: Last Name of the user
7. On the Set up PANW SSO section, copy the appropriate URL(s) i.e Microsoft Entra ID identifier and Login URL
   
8. Login to the PANW SSO portal to complete the SSO setup. 
   1. Paste Microsoft Entra ID Identifier URL on to Identity Provider ID text
   2. Paste Login URL on to Identity Provider SSO Service URL text 
   3. Paste Login URL on to Identity Provider Destination URL text 
   4. Upload/Paste the downloaded Microsoft Entra ID base64 certificate.
   5. Save the configuration and Enable Identity Provider

     
      Verify SSO login 

Once you Enable Identity Provider, all users (except domain administrators) will be forced to login via SSO. You can verify end-to-end setup by following the steps below:

Open a new incognito browser window and access the support portal URL.

• Provide Email address on sign in page (not a domain administrator Email address)
• You will be redirected to your Idp login page for authentication
• After authentication, you should be taken to the Customer Support Portal home page.

If Entra ID has been enabled but  the user cannot authenticate to PANW portals due to error code  starting with  AADTSxxx  :    refer to the below Entra ID reference of error codes and how to resolve them  : 

https://learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes