How to configure Administrator accounts to use different SAML IdP providers

How to configure Administrator accounts to use different SAML IdP providers

7013
Created On 02/15/23 16:14 PM - Last Modified 09/27/24 20:22 PM


Objective


  • Configure SAML authentication profile for each SAML IdP provider.
  • Associate each Administrator account with chosen SAML authentication profile.
  • This will ensure each Administrator is authenticated using assigned SAML IdP vendor.

Environment


  • Palo Alto Firewalls or Panorama
  • Supported PAN-OS
  • SAML IdP Server Profile
  • Authentication Profile

Procedure


  1. Follow STEPS 1 to 3 in Panorama Administrators or Firewall Administrators guide for each of the SAML Identity Providers (IdPs).
  2. Create Administrator accounts in Firewall/Panorama using the following procedure:
    1. Select Device/Panorama > Administrators and Add an administrator.
    2. Enter a Name to identify the administrator. (This name must match the username passed back by the IdP in the SAML response and it cannot contain special character @. Configure IdP attributes to send the username in "domain\username" or "username" format)
    3. Select the corresponding Authentication Profile configured in the previous step.
    4. Select the Administrator Type and their respective Admin Role.
    5. Click OK to save the Administrator account.
  3. Select Commit > Commit/Commit to Panorama to activate the changes on Firewall/Panorama and to validate the Identity Provider Certificates assigned to the SAML IdP server profiles in STEP 2.
  4. Verify that Administrators can authenticate using SAML SSO as mentioned in STEP 6 in Panorama Administrators or Firewall Administrators guide.
  5. Firewall/Panorama redirects you to authenticate to the IdP assigned to this administrator, which displays a SAML login page.
  6. Log in using your SSO username and password.
  7. After you successfully authenticate on the IdP, it redirects you back to Firewall/Panorama, which displays the web interface.

Additional Information


  • Administrators can use SAML to authenticate to the Firewall/Panorama web interface, but not to the CLI.
  • A default Authentication Profile can be configured in Firewall/Panorama, this way Firewall/Panorama redirects to a specific IdP when the SSO Account entered is not a valid Firewall/Panorama administrator:
    • Select Device/Panorama > Setup > Management, edit the Authentication Settings, and select one of the Authentication Profiles configured previously.
    • Select Commit > Commit/Commit to Panorama.
    Other users also viewed:
    Actions
    • Print
    • Copy Link

      https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sau8CAA&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

    Choose Language