Different SAML Profiles needed for Primary and Secondary devices in HA

Different SAML Profiles needed for Primary and Secondary devices in HA

12901
Created On 03/25/19 06:20 AM - Last Modified 08/19/22 03:34 AM


Symptom
  • Administrator Authentication Settings are synced between devices in HA when locally configured.
  • Since SAML Configuration gets synced between the two devices, both start using the same settings for authentication to SAML provider like Okta.
  • This creates a problem as authentication will fail for one of the devices.


Environment
  • Panorama managed Prisma Access Firewalls
  • High Availability configured
  • SAML authentication using OKTA


Cause
  • Normally, Okta has an option of "Allow this app to request other SSO URLs and provide the Requestable SSO" when creating single custom app for SSO.
  • This option allows multiple IdS nodes in deployment to use the same SSO URL.
  • If you use Okta/Paltonetwork Integrated application "Palo Alto Networks - Admin UI", the option is not available.
  • This prevents users from logging to either Primary or Secondary device in HA.


Resolution
  1. Setup custom app on Okta with the "Allow this app to request other SSO URLs and provide the Requestable SSO" option enabled.
  2. Add Requestable SSO URLs for both devices. The workflow is similar to: SAML Authentication Using Okta as IdP for Mobile Users

 


Additional Information
Workaround : (Applicable for Panorama Managed PA Firewalls)
  • Push different SAML Profiles to devices in HA using different templates from Panorama.
  • This works because Panorama pushed configuration is not synced between devices in HA.
  • This will allow to associate different SAML Profiles to Administrators on both devices.


Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kcSArticleDetail?id=kA10g000000boQT&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkcSArticleDetail

Attachments