How to configure Palo Alto Networks Admin UI for SSO with Microsoft Entra ID (Azure AD)

• To configure Single Sign-On (SSO) on Palo Alto Networks Admin UI using Microsoft Entra ID (formerly Azure AD)
• Assign Read-Only and Superuser access based on user groups.

• Next-Gen Firewalls or Panorama
• Microsoft Entra ID tenant with administrator access
• Users and groups created in Entra ID for Read-Only and Superuser roles
• Access to the Palo Alto Networks Admin UI
• Admin privileges to configure SAML SSO

1. Create a New Enterprise Application in Microsoft Entra ID
   • Log in to the Microsoft Entra ID (Azure AD) portal.
   •  Navigate to Enterprise Applications → New Application.
   • Search for Palo Alto Networks Admin UI, select it, provide a name, and click Create.

2. Configure SAML-Based Single Sign-On
   • Open the application → Single sign-on → SAML.
   • Under Basic SAML Configuration, enter:

• • • Identifier (Entity ID)      https://<panorama-or-fw-ip-or-hostname>/SAML20/SP
    • Reply URL (ACS URL)    https://<panorama-or-fw-ip-or-hostname>/SAML20/SP/ACS
    • Sign on URL                  https://<panorama-or-fw-ip-or-hostname>/php/login.php
  • Under Attributes & Claims, click Edit and add a new claim:
  • Name: adminrole
  • Claim Conditions:

  • User Type	Scope Groups	Source	Value
    Any	Groups Needing SuperUser	Attribute	SuperUser
    Any	Groups Needing readonly	Attribute	superreader

  • Save Changes and download the Federation Metadata XML for use in Panorama /Admin UI

3. Configure SAML SSO in Palo Alto Networks Admin UI
   1. Log in to Panorama or Firewall Admin UI.
   2.  Navigate to Device → Server Profiles → SAML Identity Provider → Import.
   3. Provide a Profile Name and upload the Federation Metadata XML.

4.  Create an Authentication Profile
   • Type: SAML
   • IdP Server Profile: Select the imported profile
   • User Attributes in SAML Messages from IdP:

   • Attribute	Value
     Username	Username
     User Group	Groups
     Admin Role	adminrole

• • Enable SAML Authentication for the Admin UI under Device → Authentication Profile → Add.

5. Test SSO Login
   • Log out of the Admin UI.
   • Log in via the Entra ID application URL.
   • Verify access:
     • Users in superreader claim → Read-Only access
     • Users in adminrole claim → Superuser access

• Superreader (Read-only) authentication/authorization auth flow (authd.log):

2025-11-26 08:19:34.742 -0800 debug: _parse_sso_response(pan_authd_saml.c:1713): Got AdminRole (resp->role="superreader") from IdP "https://sts.windows.net/86a6fc71-d46f-46eb-bc5f-7ca2667a5f5c/"
2025-11-26 08:19:34.742 -0800 SAML Assertion: signature is validated against IdP certificate (subject 'dc1.domain.com') for user 'user15@domain.com'
2025-11-26 08:19:34.847 -0800 debug: pan_auth_send_saml_resp(pan_auth_server.c:1587): Succeed to cache role/adomain superreader/ for user user15@domain.com
2025-11-26 08:19:34.847 -0800 SAML SSO authenticated for user 'user15@domain.com'.   auth profile 'Azure_SSO', vsys 'shared', server profile 'Azure-SSO', IdP entityID 'https://sts.windows.net/86a6fc71-d46f-46eb-bc5f-7ca2667a5f5c/', admin role 'superreader', From: 10.47.187.142.
2025-11-26 08:19:34.847 -0800 debug: _log_saml_respone(pan_auth_server.c:716): Sent PAN_AUTH_SUCCESS SAML response:(authd_id: 7572253386976798241) (return username 'user15@domain.com') (auth profile 'Azure_SSO') (NameID 'user15@domain.com') (SessionIndex '_110a90f6-b0a9-4fa7-ac86-e9048ba7b800') (Single Logout enabled? 'No') (Is it CAS (cloud-auth-service)? 'No')
2025-11-26 08:19:34.871 -0800 debug: pan_auth_request_process(pan_auth_state_engine.c:3646): Receive request: msg type PAN_AUTH_REQ_GROUP, conv id 8228, body length 32
2025-11-26 08:19:34.871 -0800 debug: pan_db_funcs_request_process(pan_auth_state_engine.c:1633): init'ing group request (authorization)
2025-11-26 08:19:34.871 -0800 debug: pan_authd_handle_group_req(pan_auth_state_engine.c:1473): start to authorize user "user15@domain.com"
2025-11-26 08:19:34.871 -0800 debug: pan_auth_mgr_get_usernameonly(pan_auth_mgr.c:374): strict_name_check=no, username=user15@domain.com, usernameonly=user15
2025-11-26 08:19:34.871 -0800 debug: pan_auth_mgr_get_userinfo(pan_auth_mgr.c:2296): Found userinfo (name/role/ado) cache entry: user15/superreader/
2025-11-26 08:19:34.871 -0800 debug: pan_authd_handle_group_req(pan_auth_state_engine.c:1583): Sent authorization response for user "user15@domain.com": role/domain="superreader/"; expiring_in_days=-1; rem_grace_period=-1, rem_login_count=-1

• Superuser authentication/authorization auth flow (authd.log):

2025-11-26 08:17:17.371 -0800 debug: _parse_sso_response(pan_authd_saml.c:1713): Got AdminRole (resp->role="superuser") from IdP "https://sts.windows.net/86a6fc71-d46f-46eb-bc5f-7ca2667a5f5c/"
2025-11-26 08:17:17.371 -0800 SAML Assertion: signature is validated against IdP certificate (subject 'dc1.aavni.net') for user 'user1@domain.com'
2025-11-26 08:17:17.580 -0800 debug: pan_auth_send_saml_resp(pan_auth_server.c:1587): Succeed to cache role/adomain superuser/ for user user1@domain.com
2025-11-26 08:17:17.580 -0800 SAML SSO authenticated for user 'user1@domain.com'.   auth profile 'Azure_SSO', vsys 'shared', server profile 'Azure-SSO', IdP entityID 'https://sts.windows.net/86a6fc71-d46f-46eb-bc5f-7ca2667a5f5c/', admin role 'superuser', From: 10.47.187.142.
2025-11-26 08:17:17.582 -0800 debug: _log_saml_respone(pan_auth_server.c:716): Sent PAN_AUTH_SUCCESS SAML response:(authd_id: 7572253386976798236) (return username 'user1@domain.com') (auth profile 'Azure_SSO') (NameID 'user1@domain.com') (SessionIndex '_e41c6a21-b21a-4e9e-a36a-a43bd987ca00') (Single Logout enabled? 'No') (Is it CAS (cloud-auth-service)? 'No')
2025-11-26 08:17:17.655 -0800 debug: pan_auth_request_process(pan_auth_state_engine.c:3646): Receive request: msg type PAN_AUTH_REQ_GROUP, conv id 8226, body length 32
2025-11-26 08:17:17.655 -0800 debug: pan_db_funcs_request_process(pan_auth_state_engine.c:1633): init'ing group request (authorization)
2025-11-26 08:17:17.655 -0800 debug: pan_authd_handle_group_req(pan_auth_state_engine.c:1473): start to authorize user "user1@domain.com"
2025-11-26 08:17:17.655 -0800 debug: pan_auth_mgr_get_usernameonly(pan_auth_mgr.c:374): strict_name_check=no, username=user1@domain.com, usernameonly=user1
2025-11-26 08:17:17.655 -0800 debug: pan_auth_mgr_get_userinfo(pan_auth_mgr.c:2296): Found userinfo (name/role/ado) cache entry: user1/superuser/
2025-11-26 08:17:17.656 -0800 debug: pan_authd_handle_group_req(pan_auth_state_engine.c:1583): Sent authorization response for user "user1@domain.com": role/domain="superuser/"; expiring_in_days=-1; rem_grace_period=-1, rem_login_count=-1

• Palo Alto Networks SAML Authentication Guide
• Microsoft Entra ID – Configure SAML SSO