Different SAML Profiles needed for Primary and Secondary devices in HA
Created On 03/25/19 06:20 AM - Last Modified 09/03/19 22:37 PM
Administrator Authentication Settings are synced between PanOS devices in HA when locally configured. Since SAML Configuration gets synced between the two devices, both start using the same settings for authentication to SAML provider like Okta. This creates a problem as authentication will fail for one of the devices.
This applies to any HA Setup on PanOS devices i.e. Firewall and Panorama.
Normally, Okta has an option of "Allow this app to request other SSO URLs and provide the Requestable SSO" when creating single custom app for SSO. This option allows multiple IdS nodes in deployment to use the same SSO URL.
If you use Okta/Paltonetwork Integrated application "Palo Alto Networks - Admin UI", the option is not available. So this prevents users from logging to either Primary or Secondary device in HA.
You should setup custom app on Okta with the "Allow this app to request other SSO URLs and provide the Requestable SSO" option enabled. You need to add Requestable SSO URLs for both devices. The workflow is similar to :
SAML Authentication Using Okta as IdP for Mobile Users
Workaround : (Applicable for Panorama Managed PA Firewalls)
Push different SAML Profiles to devices in HA using different templates from Panorama. This works because Panorama pushed configuration is not synced between devices in HA. This will allow to associate different SAML Profiles to Administrators on both devices.