How to setup Azure SAML authentication for admin UI

How to setup Azure SAML authentication for admin UI

10433
Created On 10/14/22 21:08 PM - Last Modified 04/04/24 01:30 AM


Objective


Step-by-step instructions on how to set up Azure SAML authentication for Admin UI.

Environment


  • Palo Alto Firewalls and Panorama
  • Supported PAN-OS version
  • Admin UI authentication using Azure SAML

Procedure


Steps to be performed on the Azure portal:
  1. Step 1: Login to Azure Portal  and navigate the Enterprise application under All services
 
  1. Step 2. Look for the option New Application Search for Palo Alto and select Palo Alto Networks - Admin UI
  1. Step 3: Click on create to add the application. Takes a few seconds to create:
  1. Step 4:  After App is added successfully, Click on Single Sign-on
  1. Step 5: Select the SAML Option:
  1. Step 6: Edit the Basic SAML configuration by clicking the edit button
  1. Step 7: Fill out Sign-on URL, Identifier (Entity ID), and Reply URL (Assertion Consumer Service URL) as follows
  • Sign-on URL:
    • https://FQDN
    • https://IP-address
  • Identifier (Entity ID):
    •       https://FQDN:443/SAML20/SP
    •       https://IP-address:443/SAML20/SP
  • Reply URL (Assertion Consumer Service URL):
    •       https://FQDN:443/SAML20/SP/ACS
    •       https://IP-address:443/SAML20/SP/ACS
For example:
Identifier (Entity ID)
https://10.73.32.145:443/SAML20/SP

Reply URL (Assertion Consumer Service URL)
https://10.73.32.145:443/SAML20/SP/ACS

Sign on URL
https://10.73.32.145
  1. Step 8. Download the Federation Metadata XML and save it on your computer ( This will be imported into the firewall).
This concludes the config on Azure. Login to the firewall and add the SAML identity provider.

Steps to be done on the NGFW/Panorama: (SAML Configuration Steps)

  1. Step1: Login to the Firewall and Navigate to GUI: Device > SAML Identity Provider > Import

  1. Step2: Import the Federation Metadata XML downloaded from Azure in step 8.
  • Click "OK" to complete the import
  • Option: Uncheck validate Identity Provider certificate. If checked, Certificate from Azure needs to be uploaded on the Firewall as well
  1. Step3: Create an authentication Profile and select SAML and IDP server Profile.
  1. Step4: Now to add SAML-Azure authentication for administrators log-in Go to GUI: Setup > Management > Authentication Settings
  • Commit the changes and this concludes the configuration
  • Now SAML should be enabled. On the login page, the option of Single Sign-On is displayed.
Creating Admin Users in Azure Portal:
  1. Select the Azure Active Directory
  1. Search and Select Users and add new users. Use the same user to access using SSO.
This concludes the configuration steps.





 

Additional Information


Tutorial: Azure AD SSO integration with Palo Alto Networks - Admin UI - Microsoft Entra
 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kEXvCAM&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language