How To Enable a Third-Party Identity Provider (IDP)
Environment
Customer Support Portal (CSP)
Resolution
How To Enable a Third-Party Identity Provider (IDP)
- Summary
- What is a 3rd Party Identity Provider?
- Pre-Requisites
- Enable 3rd Party Identity Provider
- Verify SSO login
- FAQs
- Why am I unable to access the SSO Settings page?
- Will there be any outage when I switch to 3rd party IDP?
- Who do I contact if I run into SSO issues after migration?
- Is there any other change in the way users are added in the support portal?
- Why is the Identity Provider rejecting the SAML Response?
Summary
This document covers the details on how to enable third-party Identity provider (Idp) for SSO.
Enabling the Third-Party Idp option in the Customer Support Portal (CSP) allows account members to log in using their own corporate credentials.
Since a third-party Idp is set up at the domain level, members may belong to and log into multiple CSP accounts using their corporate SSO. They can also login to other Palo Alto Networks applications using the same setup.
What is a 3rd Party Identity Provider?
Palo Alto Networks allows customers and partners to bring their own identity provider to access Palo Alto Networks resources, e.g., Customer Support Portal. Domain Administrator (DA) accounts will be an exception, they will continue to use Palo Alto Networks credentials.
Pre-Requisites
Below are the prerequisites to enable a 3rd party Idp for your domain:
- You must have the Domain Administrator (DA) role in the CSP to be able to configure third-party Idp access for your account.
- You must have admin access on the Identity Provider to update the SSO configuration details provided by Palo Alto Networks.
- You need one non-domain administrator (DA) account for verification.
- Ensure the URLs below are accessible from your network. You may need to work with your IT/Network team to whitelist these URLs.
https://accounts.paloaltonetworks.com/
https://accounts.api.paloaltonetworks.com/
Enable 3rd Party Identity Provider
- To enable a third-party Idp, navigate to the Account Details page in the CSP and click View Single-Sign-On Settings for your domain.
- The link will take you to the portal where you can enter Identity Provider details. If you see the error message below, please check if the URLs mentioned in Section Pre-Requisites above are accessible from your network, and that a firewall is not blocking these URLs.
An error occurred while processing your request, please contact: ssoadmins@paloaltonetworks.com. - Enter your Identity Provider details in the form and click “Save”. Note that this will only save the configuration - it’s not activated yet. Please ensure that you test the SSO setup before you enable the Identity Provider for all users in the domain.
- Once you Save the configuration, you’ll see the Palo Alto Networks Service Provider Information displayed towards the bottom of the page.
- Update your Identity provider with the Palo Alto Networks information displayed on the page. Below are the details to be added in the SAML configuration.
- NameId:
- Value: Configure email address to be sent in the Name Identifier
- Format: Configure the NameId format as “Unspecified”
- Additional SAML Attributes: Below are the additional SAML attributes
- firstName: First Name of the user
- lastName: Last Name of the user
- Claim name: Unique user identifier (NameID), this has to be changed to user.mail keeping the nameid format as "Unspecified".
- NameId:
- IMPORTANT: Test the SSO setup before you “Enable Identity Provider”. You can test the SSO setup using an Identity provider initiated flow.
- Open an incognito window and enter the Identity Provider SSO Service URL
- Login to your Identity provider with your enterprise credentials
- After successful login, Identity Provider will post a SAML to Palo Alto Networks Service Provider
- If there is an issue in the setup, you will see an error message on the screen
- If the SSO handshake was successful, you will be taken to home page of sso.paloaltonetworks.com
- After you have verified that SSO works fine, you can “Enable SSO”. This will enable the Identity provider for all users within that email domain, except Domain Administrators. Domain Administrators (DA) will have privileges to bypass Idp SSO to address SSO issues with support cases/user management.
Verify SSO login
Once you Enable Identity Provider, all users (except domain administrators) will be forced to login via SSO. You can verify end-to-end setup by following the steps below
Open a new incognito browser window and access the support portal URL.
- Provide Email address on sign in page (not a domain administrator Email address)
- You will be redirected to your Idp login page for authentication
- After authentication, you should be taken to the Customer Support Portal home page.
FAQs
Why am I unable to access the SSO Settings page?
If you see the following error message: "An error occurred while processing your request", please check if the URLs below are added to your allow list on your network, and that no firewall is blocking access.
https://accounts.paloaltonetworks.com/
https://accounts.api.paloaltonetworks.com/
Will there be any outage when I switch to 3rd party Idp?
Yes, there may be a potential outage of approximately 1 hour while the Domain Admin configures and activates the Identity Provider. If tested and done carefully, there will be no outage.
Who do I contact if I run into SSO issues after migration?
If you have issues, please open an Admin case at https://support.paloaltonetworks.com. If you are unable to log in, please use the “Need Help?” option.
Are there other changes in the way users are added in the support portal?
No. There is no change to this process with one exception: the Account Registration Link cannot be used for adding users with 3rd party enabled domain.
JIT provisioning and automation in user creation between CSP and the 3rd party IDP platform is not supported at this point. Users have to be added manually on CSP.
Why is the Identity Provider rejecting the SAML Response?
Be sure to configure NameID format as "Unspecified". Service Provider signs the SAML Request and sends the NameID format as "Unspecified". This setting must match with what is configured in the Identity Provider.
How to renew SSO IDP Certificate
Below are the Pre-Requisites to edit SSO settings and renew IDP certificate:
- You must have the Domain Administrator (DA) role in the CSP to be able to configure third-party Idp access for your account.
- You must have admin access on the Identity Provider to update the SSO configuration details provided by Palo Alto Networks.
- You need one non-domain administrator (DA) account for verification.
- Ensure the URLs below are accessible from your network. You may need to work with your IT/Network team to whitelist these URLs.
https://accounts.paloaltonetworks.com/
https://accounts.api.paloaltonetworks.com/
Steps to renew the IDP certificate:
- Download the Base 64 certificate from your Identity Provider (IDP)
- Login to the support portal - https://support.paloaltonetworks.com
- Navigate to the Account Details page and click View Single-Sign-On Settings for your domain.
- Take a backup of the existing identity provider certificate from the SSO settings
- Copy and Paste the new Base64 IDP certificate (i.e downloaded from step1 from IDP) on the Identity provider certificate and save the configuration.
- Test the SSO integration.
- In case of issues revert the certificate changes and reach out to support - You can open an support case at https://support.paloaltonetworks.com. If you are unable to log in, please use the “Need Help?” option.