How to setup Azure SAML authentication for admin UI
10433
Created On 10/14/22 21:08 PM - Last Modified 04/04/24 01:30 AM
Objective
Step-by-step instructions on how to set up Azure SAML authentication for Admin UI.
Environment
- Palo Alto Firewalls and Panorama
- Supported PAN-OS version
- Admin UI authentication using Azure SAML
Procedure
Steps to be performed on the Azure portal:
- Step 1: Login to Azure Portal and navigate the Enterprise application under All services
- Step 2. Look for the option New Application Search for Palo Alto and select Palo Alto Networks - Admin UI
- Step 3: Click on create to add the application. Takes a few seconds to create:
- Step 4: After App is added successfully, Click on Single Sign-on
- Step 5: Select the SAML Option:
- Step 6: Edit the Basic SAML configuration by clicking the edit button
- Step 7: Fill out Sign-on URL, Identifier (Entity ID), and Reply URL (Assertion Consumer Service URL) as follows
- Sign-on URL:
- https://FQDN
- https://IP-address
- Identifier (Entity ID):
- https://FQDN:443/SAML20/SP
- https://IP-address:443/SAML20/SP
- Reply URL (Assertion Consumer Service URL):
- https://FQDN:443/SAML20/SP/ACS
- https://IP-address:443/SAML20/SP/ACS
For example:
Identifier (Entity ID)
https://10.73.32.145:443/SAML20/SP
Reply URL (Assertion Consumer Service URL)
https://10.73.32.145:443/SAML20/SP/ACS
Sign on URL
https://10.73.32.145
- Step 8. Download the Federation Metadata XML and save it on your computer ( This will be imported into the firewall).
This concludes the config on Azure. Login to the firewall and add the SAML identity provider.
Steps to be done on the NGFW/Panorama: (SAML Configuration Steps)
-
Step1: Login to the Firewall and Navigate to GUI: Device > SAML Identity Provider > Import
- Step2: Import the Federation Metadata XML downloaded from Azure in step 8.
- Click "OK" to complete the import
- Option: Uncheck validate Identity Provider certificate. If checked, Certificate from Azure needs to be uploaded on the Firewall as well
- Step3: Create an authentication Profile and select SAML and IDP server Profile.
- Step4: Now to add SAML-Azure authentication for administrators log-in Go to GUI: Setup > Management > Authentication Settings
- Commit the changes and this concludes the configuration
- Now SAML should be enabled. On the login page, the option of Single Sign-On is displayed.
- Select the Azure Active Directory
- Search and Select Users and add new users. Use the same user to access using SSO.
This concludes the configuration steps.
Additional Information
Tutorial: Azure AD SSO integration with Palo Alto Networks - Admin UI - Microsoft Entra: