Configure SAML Single Sign-On (SSO) Authentication
By default, the Aperture service uses local (database) authentication which requires you to create Aperture sign in accounts for each Aperture administrator. These accounts are stored in a local database separate from your enterprise login accounts. If your organization has standardized on SAML SSO authentication, you can eliminate duplicate accounts by configuring Aperture as a SAML service provider so that Aperture administrators can use their enterprise credentials to access the service. You must be an Aperture Super Admin to set or change the authentication settings on the Aperture service.
- Enable SSO authentication on Aperture service.You must be an Aperture Super Admin to configure SSO authentication.
- Select SettingsAuthentication.
- Select Enable Single Sign-On and Save.
- Make a note of the Aperture Entity ID and ACS
URL provided. The Identity Provider needs this information to communicate with the Aperture service.
- Configure the Aperture service on your SAML Identity
Provider.This example uses Okta as your Identity Provider.
- Add the Aperture Entity ID.
- Add the Aperture ACS URL.
- Obtain the IDP certificate from the Identity Provider
and install the certificate on the IDP server. If you do not know
where to obtain the certificate, contact your IDP administrator
- Save the Aperture configuration for your chosen Identity
Provider and collect setup information provided.
- Configure SSO authentication on Aperture.
- Enter the Identity Provider SSO URL.
- Browse to add an Identity Provider Certificate. The identify provider uses this certificate to sign SAML messages. Alternatively, you can disable Require valid certificate for login.
- Enter the SAML Identity Provider ID.
- Save your changes.
- Select SSO as the authentication type for Aperture administrators.After SSO is configured on the Aperture service and the identity provider, you can configure the authentication type for each Aperture administrator.As an Aperture Super Admin, you can change the Authentication Type for any account except your own. To change your Authentication Type, another Super Admin must configure your account.
- Select SettingsAdmin Accounts.
- Create a new Admin Account or edit an existing one.
- For the Authentication Type,
select Single Sign-On (SSO).When accessing the Aperture service, Administrators will automatically logged in and see the following message at the top of the screen.When the Administrator has both an account in the Aperture local database and SSO, the following sign on screen displays.
Configure Unsanctioned Device Access Control
Use the Aperture service as a SAML proxy between your Identity Provider and next generation firewall to control access to your sanctioned SaaS applications. ...
Configure Unsanctioned Device Access Control
Configure Unsanctioned Device Access Control You can control unsanctioned and employee-owned device access to your network and redirect device traffic to the next generation firewall ...
Add Unsanctioned Device Access Control to Aperture
Use the next generation firewall to control unsanctioned device access by configuring Aperture as a SAML proxy. ...
Select an Authentication Method
Select an Authentication Method To strengthen your security posture, you can enforce multi-factor authentication (MFA) with local database on the Aperture service and/or enable single-sign-on ...
Configure VPN Reverse Proxy for SaaS Security
Configure VPN Reverse Proxy for SaaS Security You can use GlobalProtect cloud service to control access to your network from mobile users’ unsanctioned devices. This ...
Add Aperture Administrators
Add Aperture Administrators Initially, to create new administrator accounts on the local database on the Aperture service, you must be logged in as the administrator ...
SAML 2.0 Authentication
SAML 2.0 Authentication You can now use Security Assertion Markup Language ( SAML ) 2.0 to authenticate administrators who access the firewall or Panorama web ...
Configure Google Multi-Factor Authentication (MFA)
Configure Google Multi-Factor Authentication (MFA) If your organization has not standardized on SAML SSO for Aperture administrator logins, you can setup multi-factor authentication (MFA). You ...
Configure SAML 2.0 Authentication (API)
Configure SAML 2.0 Authentication (API) Use the PAN-OS XML API to automate the configuration of SAML 2.0 single sign-on (SSO) and single logout (SLO). To ...