Skip to main content

Palo Alto SAML Single Sign-on Deployment Guide

Introduction

This guide provides information on how to integrate Palo Alto SAML Single Sign-On (SSO) for use with SecureAuth IdP.

Palo Alto Networks maintains a Content Delivery Network (CDN) infrastructure for delivering content updates to Palo Alto Networks firewalls. When configured as specified in this guide, the Palo Alto firewall structure works seamlessly with SecureAuth IdP to increase network protection using authentication features only SecureAuth can offer.

Prerequisites

The prerequisites for deploying this SSO use case are:

  • Installation of Palo Alto Networks PAN-OS 8.x (or later) appliance

  • Deployment of GlobalProtect Client 4.x or later

  • Deployment of one or more SecureAuth IdP appliances

SecureAuth IdP Configuration Steps

Post Authentication

44835825.png

1. Execute the procedures in the Generic SAML Guide to create one or more realms for sup- porting Palo Alto VPN access and populating the Overview, Data, Workflow, and Multi-Factor Methods tab pages with the required values.

2. Specify the required values on the Post Authentication tab page

3. Select SAML 2.0 (SP Initiated) Assertion from the Authenticated User Redirect dropdown

The Redirect To field auto-populates with the URL to which SecureAuth IdP redirects successfully authenticated end-users. In this case, Authorized/SAML20SPInit.aspx

47246391.png

4. Since the end-user logs on to the application with the same SecureAuth IdP credentials, select Authenticated User ID from the User ID Mapping dropdown

5. Select urn:oasis:names:to:SAML:1:1:nameid-format:unspecified from the Name ID Format dropdown

6. Select False from the Encode to Base64 dropdown

44835823.png

7. Set WSFed / SAML Issuer to a unique name that identifies the IdP to the application, such as the SAML ID

8. Set WS-Fed Version to 1.2

9. Set WS-Fed Signing Algorithm to SHA1

10. Leave SAML Offset Minutes at the default 0

11. Set SAML Valid Hours to 1

12. Set Append HTTPS to SAML Target URL to True

13. Set SAML Data Encryption Method to XmlEncAES256Url (that is AES-256 encryption)

14. Set SAML Key Encryption Method to XmlEncRSAOAEPUrl

15. For Signing Cert Serial Number, upload the certificate into the SecureAuth IdP appliance's certificate store, then click Select Certificate

16. For Assertion Signing Certificate, click to download the certificate that is typically uploaded to the configured application

Warning

Click Save and remain on the Post Authentication page

44835824.png

17. Return to the User ID Mapping section, and click Transformation Engine to generate the XSLT Editor file

47246368.png

18. Click the Enable Transformation Engine checkbox

19. Modify only the first element — <UserID> — by typing/pasting the value Domain\ before the <xsl:value of select="user/UserID"> tag

Warning

Click Save once the configuration is complete and before leaving the Post Authentication page to avoid losing changes

Palo Alto VPN Configuration Steps

44835828.png

1. Start the Palo Alto VPN admin console

Refer to the PAN-OS Documentation for more information

2. Import SecureAuth IdP realm metadata to the Palo Alto appliance

a. On the Palo Alto VPN admin console, click Device > Server Profiles > SAML Identity Provider > Import

44835829.png

b. In the Identity Provider Metadata text field, either enter the location and name of the metadata XML file you have copied to this appliance, or click Browse... to navigate to the correct location and specify the XML file

3. After importing the metadata, uncheck the Validate Identity Provider Certificate box

4. Create a SAML Identity Server Profile by clicking Device > Server Profiles > SAML Identity Provider > Add

5. Modify these fields as follows:

a. For Profile Name, enter the required profile name

b. For Identity Provider ID, enter the same ID used as the Issuer Name on SecureAuth IdP Web AdminPost Authentication page

c. For Identify Provider Certificate, enter the same certificate used for the SAML certificate on the SecureAuth IdP Web Admin Post Authentication page

d. For Identity Provider SSO URL, indicate the SecureAuth URL in which SAML is configured for this app

6. Click OK when finished

44835830.png

7. From the configuration main menu, select Device > Authentication Profile

8. Create an authentication profile for the previously created SecureAuth IdP SAML Identity Provider and supply all required values

The fields under the User Attributes in SAML Messages from IdP section should match the default values shown on the SecureAuth IdP Web Admin Post Authentication page

44835819.png

9. Click the Advanced tab and then click Add to add Allow List members as required

10. When finished, click OK

44835820.png

11. Start the GlobalProtect Portal Configuration utility as specified in your GlobalProtect documentation

44835821.png

12. Click the Authentication tab, then create a Portal and Gateway profile that will enable you to use the SecureAuth IdP SAML Auth Profile

13. When finished, click OK

47246369.png

14. Click the Agent tab

15. Click the Authentication tab, then click the checkbox next to Generate cookie for authentication override

16. Click OK

47246370.png

17. Click the Agent | Client Settings | Authentication Override tabs

18. Click the checkbox next to Accept cookie for authentication override

19. Click OK

GlobalProtect Client Steps

44835822.png

1. Start the GlobalProtect client

2. Click Connect

44835826.jpg

3. You should be redirected to SecureAuth IdP for authentication

4. Enter the appropriate username, password, and passcode as required, and then click Submit

44835827.png

5. If successfully authenticated, the GlobalProtect client returns a screen as shown here

Troubleshooting

When end-users attempting to authenticate enter their credentials in an embedded browser, they may receive this script error message: "'WebForm_DoPostBackWithOptions' is undefined". Refer to the SecureAuth Support article Embedded Browser Error: An error has occurred in the script on this page to resolve this issue.