How to Migrate An Existing Third-Party Identity Provider (IDP)

How to Migrate An Existing Third-Party Identity Provider (IDP)

22031
Created On 09/16/22 16:20 PM - Last Modified 06/16/23 14:32 PM


Resolution


ATTENTION:
 
  • If you have reached this page while logging into a Palo Alto Networks service, it indicates your email domain is configured to use your organization credentials. Your organization domain administrator(s) need to complete a pending migration activity following the steps provided in this article, before you can login to any Palo Alto Networks services.
 
Contact your Palo Alto Networks account support team for assistance.
 
  • If you are the domain administrator and require assistance with the migration activity, please open a support ticket with Palo Alto Networks https://support.paloaltonetworks.comIf you are unable to log in, please use the "Need Help? " option.



How to Migrate an Existing Third-Party Identity Providers (IDP)


What’s changing

Palo Alto Networks is changing the Identity system framework on the backend. This new framework requires all identity providers integrated with PANW to be updated to the new configuration (third-party Idp integrations).

 

Impact

There will be an outage for users attempting to login during the migration process. Please plan the change window accordingly. 


Migration procedure

Pre-Requisites 

  • You must have the Domain Administrator (DA) role in the CSP to be able to configure third-party IDP access for your account.

  • You must have admin access on the Identity Provider to update the SSO configuration details provided by Palo Alto Networks. 

  • You need one non-domain administrator (DA) account for verification.

  • Take a backup of your existing identity provider configuration. This includes details like Entity Id, Certificate, SSO URL, Redirect URL etc. configured on your end. 

  • Ensure the URLs below are accessible from your network.  You may need to work with your IT/Network team to whitelist these URLs:

        https://accounts.paloaltonetworks.com/
        https://accounts.api.paloaltonetworks.com/

Migration

  1. Login to support portal using your domain admin account

  2. Navigate to the Account Details page in the CSP and click View Single-Sign-On Settings for your domain in the Account Details page.

  3. Once you login, you’ll see your existing identity provider configuration on the top of the page. The form fields are editable only after the integration is activated in Okta, to avoid data going out of sync during the migration. 

    Screen Shot 2022-10-07 at 9.23.24 AM.png

  4. Note:  Any new user login will be impacted after you save the changes below and after you complete the "Activate in OKTA" step.

  5. Scroll down to the bottom of the page to “Palo Alto Networks Service Provider Information”. Copy the updated PANW information displayed below and update your IDP with the new URLs and certificate (be sure to back up your old configuration)

  6. Add the following details to the SAML configuration.

    1. NameId

      1. Value:  Configure email address to be sent in the Name Identifier

      2. Format:  Configure the NameId format as "Unspecified"

    2. Additional SAML attributes:  Attributes below are additional SAML attributes

      1. firstName:  First name of the user

      2. lastName:  Last name of the user

  7. IMPORTANT: Test the SSO setup before you “Activate in OKTA”

    1. Open an incognito browser window and enter the Identity Provider SSO URL

    2. Login to your Identity provider with your enterprise credentials

    3. After successful login, Identity Provider will post SAML to Palo Alto Networks Service Provider

    4. If there is an issue in the setup, you will see an error message on the screen. 

    5. If the SSO handshake was successful, you will be taken to home page of sso.paloaltonetworks.com

  8. Click on “Activate in OKTA”. You will be asked to confirm. Click “Save”.

  1. This will activate the new configuration

Note: If you have multiple email domains configured for a third party Idp, they will be activated along with the domain you have logged into. 

  1. Using a non-domain admin account, login to the Customer Support Portal on an incognito window. This will verify the SSO configuration.



Roll-Back

If you run into any issues, rollback the changes and open a case at https://support.paloaltonetworks.com .  If you are unable to log in, please use the "Need Help? " option.

Steps to rollback the changes:

  1. Get the backup configuration for the Identity Provider that you backed up prior to the migration. 

  2. Login to your Identity provider and change it to the previous configuration. 

  3. Navigate to the Account Details page in the CSP and click View Single-Sign-On Settings for your domain in the Account Details page.

  4. Deactivate the new Okta Setup using the slider “Activate in OKTA”. You will be asked to confirm. Click “Save”.

  1. You will see a confirmation once the IdP setup is deactivated.


 

Migration FAQs

Will there be any outage while I do the switch?

Yes, there will be a potential outage of approximately 1 hour.
 

If I have more than one domain, will they be migrated automatically?

Yes, all of the existing domains you have enabled will be automatically migrated.
 

Why am I unable to access the SSO Settings page?

If you encounter this error message, please check if the URLs below are aded to allow access on your network.  Also, check if a firewall is blocking this page.

     https://accounts.paloaltonetworks.com/
     https://accounts.api.paloaltonetworks.com/

Message:  An error occurred while processing your request, please contact: ssoadmins@paloaltonetworks.com.
 

Who do I contact if I run into SSO issues after migration?

If you run into issues, please open a case at https://support.paloaltonetworks.com .  If you are unable to log in, please use the "Need Help? " option.
 

Are there other change in the way users are added in the support portal? 

No. There is no change in this process.
 

Why is the Identity Provider rejecting the SAML response? 

Be sure to configure NameID format as "Unspecified". Service Provider signs the SAML request and sends the NameID format as "Unspecified". This must match with what is configured in the Identity Provider.

 

 
 
 


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sZ8wCAE&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail