Make sure you complete all the necessary steps in the Azure portal.
If you have more than one directory,
Switch
directory
to select the directory you want to use with
the Cloud Identity Engine.
Select
Enterprise applications
and click
New
application
.
Add from the gallery
then enter
Palo Alto Networks Cloud Identity Engine - Cloud Authentication Service
and download the Azure AD single-sign
on integration.
After
the application loads, select
Users and groups
,
then
Add user/group
to
Assign
them
to this application.
Select the users and groups you want to have use the Azure
IdP in the Cloud Identity Engine for authentication.
Be sure
to assign the account you are using so you can test the configuration
when it is complete. You may need to refresh the page after adding
accounts to successfully complete the test.
Select
Single sign-on
then
select
SAML
.
Upload Metadata File
by browsing to
the metadata file that you downloaded from the Cloud Identity Engine
app and click
Add
.
After the metadata uploads,
Save
your
configuration.
(Optional)
Edit
your
User
Attributes & Claims
to
Add a new claim
or
Edit
an
existing claim.
If you attempt to test the configuration on the Azure
Admin Console, a 404 error displays because the test is triggered
by the IdP and the Cloud Identity Engine supports authentication
requests initiated by the service provider.
Configure Azure AD for the Cloud Identity Engine.
Select
single sign-on
then
select
SAML
.
Edit
the
Basic SAML Configuration
settings.
Upload metadata file
and select the
metadata file you downloaded from the Cloud Identity Engine in the
first step.
Add and assign users that you want to require to use
Azure AD for authentication.
Select
Azure Active Directory
then
select
Users
All users
.
Create a
New user
and enter
a
Name
,
User name
.
Select
Show password
, copy
the password to a secure location, and
Create
the user.
In the
Palo Alto Networks Cloud Identity Engine
- Cloud Authentication Service
integration in the Azure Portal,
select
Users and groups
.
Add user
then select
Users
and groups
.
Add Azure as an authentication type in the Cloud Identity Engine
app.
Select
Authentication Types
and
click
Add New Authentication Type
.
Set Up
a
SAML 2.0
authentication
type.
Enter a
Profile Name
.
Select
Azure
as your
Identity
Provider Vendor
.
Select the method you want to use to
Add Metadata
and
Submit
the
IdP profile.
If you want to enter the information manually, copy
the identity provider ID and SSO URL, download the certificate,
then enter the information in the Cloud Identity Engine IdP profile.
Copy the necessary information from the Azure Portal and enter
it in the IdP profile on the Cloud Identity Engine app as indicated in
the following table:
Copy or Download From Azure Portal
Enter in Cloud Identity Engine IdP Profile
Copy the
Azure AD Identifier
.
Enter it as the
Identity Provider
ID
.
Download
the
Certificate
(Base64)
.
Click to Upload
the
certificate from the Azure Portal.
Copy the
Login URL
.
Enter the URL as the
Identity Provider
SSO URL
.
Select the
HTTP Binding for SSO Request to IdP
method
you want to use for the SAML binding that allows the firewall and
IdP to exchange request and response messages (
HTTP Redirect
,
which transmits SAML messages through URL parameters or
HTTP
Post
, which transmits SAML messages using base64-encoded
HTML).
Specify the
Maximum Clock Skew (seconds)
, which
is the allowed difference in seconds between the system times of the
IdP and the firewall at the moment when the firewall validates IdP messages
(default is 60; range is 1–900). If the difference exceeds this value,
authentication fails.
If you want to upload a metadata file, download the metadata
file from your IdP management system.
In Azure Portal,
Download
the
Federation
Metadata XML
and
Save
it to a
secure location.
In the Cloud Identity Engine app,
Click to upload
the
metadata file, then
Open
the metadata file.
If you want to use a URL to retrieve the metadata, copy the
App
Federation Metadata Url
. Paste it in the profile and
Fetch
the
metadata.
Palo Alto Networks recommends using this method to configure
Azure as an IdP.
Select
Multi-factor Authentication is Enabled on
the Identity Provider
if your Azure configuration uses multi-factor
authentication (MFA).
To require users to log in using their credentials to reconnect to
GlobalProtect, enable
Force Authentication
.
Test SAML setup
to verify the
profile configuration.
This step
is required to confirm that your firewall and IdP can communicate.
Select the SAML attributes you want the firewall to use
for authentication and