New User Interface: The "SSO Settings" Tab
Symptom
New User Interface: The "SSO Settings" Tab
Environment
To facilitate these new governance features, a dedicated SSO Settings tab has been added to the CSP interface.
-
Old Location: SSO configuration was previously managed under the "User Access" tab.
-
New Location: SSO configuration is now managed under a new "SSO Settings" tab within Account Details
-
Purpose: This tab serves as the interface to request changes to your account's SSO status. It allows you to submit update requests, approve pending requests from other admins, and view the history of changes.
Key Concepts:
1. Dedicated "SSO Administrator" Role
-
Purpose: A new user role created with the sole responsibility of configuring third-party IDPs.
-
Security: This role enforces the principle of least privilege. Only designated personnel can manage user authentication.
-
Assignment: The role is assigned by a "Super User".
2. Account-Level "SSO Configuration" Attribute (Backend Setting)
-
Definition: There is a new backend attribute “SSO Configuration” that acts as a master gatekeeper for the account.
-
Visibility: Note: This attribute is not a visible toggle or switch in the CSP User Interface. You cannot manually enable/disable it directly.
-
Functionality:
-
Enabled (Backend): When this attribute is set to True, the "Configure Single Sign-On settings for your domain" link (indicated below) becomes enabled and clickable. The assigned "SSO Administrator" can then proceed to configure IDP settings.
-
-
Disabled (Backend): The configuration link is not visible, and no user can configure IDPs, even if they hold the "SSO Administrator" role.
-
Control: To change this backend status from "Disabled" to "Enabled," you must utilize the "Request Approval" workflow in the SSO Settings tab.
Transition for Existing Domain Admins
The implementation of the dedicated SSO Administrator role includes a specific transition plan for existing Customer Support Portal (CSP) accounts, which will be executed as part of the Go-Live (12/18).
-
Role Transition: All existing Domain Admins will also transition to SSO Administrator.
-
Access: All existing Domain Admins will retain their current role.
Key Takeaway for Existing Domain Admins: Your IDP configuration administration privilege will only be transitioned to this new SSO Administrator role, and the migration of existing Domain Admins to SSO Administrator Role will be part of the Go-Live process.
Authentication Requirement: Post the migration of Domain Admins to SSO Administrator Role, these users will continue to authenticate using Palo Alto Networks SSO.
Other Roles: Users with any other role besides SSO Administrator will continue to use the third-party Identity Provider (IDP) SSO.
Error Warning: If a user is currently using third-party IDP SSO and is later upgraded to the new SSO Administrator role in the Support Portal (post the go live data of 12/18), they will hit an error at their first login to any Palo Alto Networks apps and services portal because they will not have a Palo Alto Networks generated password.
Account Eligibility and Status
The initial backend status of this attribute depends on your account history.
For Existing CSP Accounts
-
Backend Status: The "SSO Configuration" attribute is enabled by default in the backend system.
-
Impact: The "Configure Single Sign-On settings for your domain" link is active immediately, allowing you to continue managing your IDP settings without interruption.
-
Governance: If you require this to be disabled for governance reasons, please submit a support request.
For New CSP Accounts
-
Backend Status: The "SSO Configuration" attribute is disabled by default in the backend system.
-
Loki Program Exception: The first CSP account created under a Salesforce account via the Loki program will have the attribute enabled by default.
-
How to Enable: Since the setting is backend-controlled, an "SSO Administrator" must submit an "SSO Update" request through the Support Portal to trigger the enablement process.
How to Request SSO Enablement
For accounts where the backend "SSO Configuration" attribute is disabled (and the configuration link is consequently inactive), SSO Administrators must use the following workflow.
1. Submitting a Request
-
Navigate to Account Details and click the SSO Settings tab.
-
Locate the "My Requests" section and click the Request Approval button.
-
In the "Request Domain Approval" pop-up window, verify the domain (auto-populated from your login email) and click Submit.
-
Note: The button will be hidden if there is already an Approved or Pending request for the domain.
-
-
View the status of your request in the My Requests sub-tab.
2. Approving or Declining a Request
Requests are routed to other SSO Administrators within the same domain (where the backend SSO Configuration is already enabled).
-
Navigate to the SSO Settings tab and click the Pending Requests sub-tab.
-
Locate the incoming request and click either Approve or Decline.
-
A pop-up window will appear. You must provide a Reason for Approval or a Reason for Decline.
-
Click Submit to finalize the decision.
3. Post-Approval: Configuring SSO
Once a request is Approved:
-
The backend "SSO Configuration" attribute is updated to Enabled.
-
The link "Configure Single Sign-On settings for your domain" at the top of the SSO Settings tab becomes active.
-
Click this link to enter the standard IDP configuration workflow.
4. Viewing Request History
To view a complete log of past activities:
-
Navigate to the SSO Settings tab and click the Request History sub-tab.
-
This section logs the requestor name, domain, date, and final status (Approved, Rejected, Pending).
Email Notifications
Users involved in the workflow will receive the following automated notifications instructing them to check the SSO Settings tab:
-
To Approvers: When a request is submitted, eligible SSO Administrators receive an email with the subject: "A new SSO Update Request Submitted needing Review and Decision". The notification sent to Approvers will only include the First and Last Name of the user who submitted the request.
-
To Requestor (Submission): After submitting, the requestor receives confirmation with the subject: "SSO Update Approval Request Submitted Notification".
-
To Requestor (Decision): Once a decision is made, the requestor receives an email with the subject: "SSO Update Request decision Notification" indicating if the request was approved or rejected.