Make sure you complete all the necessary steps in the Azure portal.
If you have more than one directory,
Switch
directory
to select the directory you want to use with
the Cloud Identity Engine.
Select
Enterprise applications
and click
New
application
.
Add from the gallery
then enter
Palo Alto Networks Cloud Identity Engine - Cloud Authentication Service
and download the Azure AD single-sign
on integration.
After
the application loads, select
Users and groups
,
then
Add user/group
to
Assign
them
to this application.
Select the users and groups you want to use the Azure IdP in the Cloud Identity Engine for
authentication.
Be sure to assign the account you're using so you
can test the configuration when it's complete. You may need to
refresh the page after adding accounts to successfully complete the
test.
Select
Single sign-on
then
select
SAML
.
Upload Metadata File
by browsing to
the metadata file that you downloaded from the Cloud Identity Engine
app and click
Add
.
After the metadata uploads,
Save
your
configuration.
(Optional)
Edit
your
User
Attributes & Claims
to
Add a new claim
or
Edit
an
existing claim.
If you attempt to test the configuration on the Azure
Admin Console, a 404 error displays because the test is triggered
by the IdP and the Cloud Identity Engine supports authentication
requests initiated by the service provider.
Configure Azure AD for the Cloud Identity Engine.
Select
Single sign-on
then select
SAML
.
Edit
the
Basic SAML Configuration
settings.
Upload metadata file
and select the
metadata file you downloaded from the Cloud Identity Engine in the
first step.
At this point in the process, you may see the option to
Test sign-in
. If you try to test the single
sign-on configuration now, the test won't be successful. You can test
your configuration to verify it's correct in step 9.
Add and assign users who you want to require to use Azure AD for
authentication.
Select
Azure Active Directory
then select
Users
All users
.
Create a
New user
and enter a
Name
,
User name
.
Select
Show password
, copy the password to a
secure location, and
Create
the user.
In the
Palo Alto Networks Cloud Identity Engine - Cloud
Authentication Service
integration in the Azure Portal,
select
Users and groups
.
Add user
then select
Users and
groups
.
Add Azure as an authentication type in the Cloud Identity Engine
app.
Select
Authentication Types
and
click
Add New Authentication Type
.
Set Up
a
SAML 2.0
authentication
type.
Enter a
Profile Name
.
Select
Azure
as your
Identity
Provider Vendor
.
Select the method you want to use to
Add Metadata
and
Submit
the
IdP profile.
If you want to enter the information manually, copy the identity provider ID and SSO URL,
download the certificate, then enter the information in the Cloud
Identity Engine IdP profile.
Copy the necessary information from the Azure Portal and enter
it in the IdP profile on the Cloud Identity Engine app as
indicated in the following table:
Copy or Download from Azure
Portal
Enter in Cloud Identity Engine
IdP Profile
Copy the
Azure AD
Identifier
.
Enter it as the
Identity Provider
ID
.
Download
the
Certificate
(Base64)
.
Click
Browse
files
to select the certificate from
the Azure Portal.
Copy the
Login
URL
.
Enter the URL as the
Identity Provider SSO
URL
.
Select the
HTTP Binding for SSO Request to Identity
Provider (Optional)
method you want to use for
the SAML binding that allows the firewall and IdP to exchange
request and response messages:
HTTP Redirect
—Transmit SAML
messages through URL parameters.
HTTP Post
—Transmit SAML messages
using base64-encoded HTML.
If you want to upload a metadata file, download the metadata file from your IdP management
system.
In the Azure Portal,
Download
the
Federation Metadata XML
and
Save
it to a secure location.
In the Cloud Identity Engine app, click
Browse
files
to select the metadata file, then
Open
the metadata file.
If you want to use a URL to retrieve the metadata, copy the
App Federation Metadata
Url
, then paste it in the profile as the
Identity Provider Metadata URL
and
Get URL
the metadata.
Palo Alto Networks
recommends using this method to configure Azure as an IdP.
If you don't want to
enter the configuration information now, you can
Do it
later
. This option allows you to submit the profile
without including configuration information. However, you must edit the
profile to include the configuration information to use the
authentication type in an authentication profile.
Specify the
Maximum Clock Skew (seconds)
, which is the
allowed difference in seconds between the system times of the IdP and the
firewall at the moment when the firewall validates IdP messages (default is 60;
range is 1–900). If the difference exceeds this value, authentication
fails.
Select
Multi-factor Authentication is Enabled on
the Identity Provider
if your Azure configuration uses multi-factor
authentication (MFA).
To require users to log in using their credentials to reconnect to
GlobalProtect, enable
Force Authentication
.
Test SAML setup
to verify the profile configuration.
This step is necessary to confirm that your firewall and IdP can
communicate.
Select the SAML attributes you want the firewall to use
for authentication and