Different SAML Profiles needed for Primary and Secondary devices in HA
27662
Created On 03/25/19 06:20 AM - Last Modified 08/19/22 03:34 AM
Symptom
- Administrator Authentication Settings are synced between devices in HA when locally configured.
- Since SAML Configuration gets synced between the two devices, both start using the same settings for authentication to SAML provider like Okta.
- This creates a problem as authentication will fail for one of the devices.
Environment
- Panorama managed Prisma Access Firewalls
- High Availability configured
- SAML authentication using OKTA
Cause
- Normally, Okta has an option of "Allow this app to request other SSO URLs and provide the Requestable SSO" when creating single custom app for SSO.
- This option allows multiple IdS nodes in deployment to use the same SSO URL.
- If you use Okta/Paltonetwork Integrated application "Palo Alto Networks - Admin UI", the option is not available.
- This prevents users from logging to either Primary or Secondary device in HA.
Resolution
- Setup custom app on Okta with the "Allow this app to request other SSO URLs and provide the Requestable SSO" option enabled.
- Add Requestable SSO URLs for both devices. The workflow is similar to: SAML Authentication Using Okta as IdP for Mobile Users
Additional Information
Workaround : (Applicable for Panorama Managed PA Firewalls)
- Push different SAML Profiles to devices in HA using different templates from Panorama.
- This works because Panorama pushed configuration is not synced between devices in HA.
- This will allow to associate different SAML Profiles to Administrators on both devices.