Configure Azure as an IdP in the Cloud Identity Engine

Download the Cloud Identity Engine integration in the Azure Portal.

If you have not already done so, activate the Cloud Identity Engine app.
In the Cloud Identity Engine app, select
Authentication
SP Metadata
Download SP Metadata
and
Save
the metadata in a secure location.

Log in to the Azure Portal and select
Azure Active Directory
.
Make sure you complete all the necessary steps in the Azure portal.

If you have more than one directory,
Switch directory
to select the directory you want to use with the Cloud Identity Engine.

Select
Enterprise applications
and click
New application
.

Add from the gallery
then enter
Palo Alto Networks Cloud Identity Engine - Cloud Authentication Service
and download the Azure AD single-sign on integration.
After the application loads, select
Users and groups
, then
Add user/group
to
Assign
them to this application.
Select the users and groups you want to have use the Azure IdP in the Cloud Identity Engine for authentication.
Be sure to assign the account you are using so you can test the configuration when it is complete. You may need to refresh the page after adding accounts to successfully complete the test.
Select
Single sign-on
then select
SAML
.
Upload Metadata File
by browsing to the metadata file that you downloaded from the Cloud Identity Engine app and click
Add
.
After the metadata uploads,
Save
your configuration.
(Optional)
Edit
your
User Attributes & Claims
to
Add a new claim
or
Edit
an existing claim.
If you attempt to test the configuration on the Azure Admin Console, a 404 error displays because the test is triggered by the IdP and the Cloud Identity Engine supports authentication requests initiated by the service provider.

Configure Azure AD for the Cloud Identity Engine.

Select
Single sign-on
then select
SAML
.
Edit
the
Basic SAML Configuration
settings.
Upload metadata file
and select the metadata file you downloaded from the Cloud Identity Engine in the first step.
Enter your regional endpoint as the
Sign-on URL
using the following format:
https://
<RegionUrl>
.paloaltonetworks.com/sp/acs
(where
<RegionUrl>
is your regional endpoint). For more information on regional endpoints, see Configure Cloud Identity Engine Authentication on the Firewall or Panorama.
Copy
the
App Federation Metadata Url
and save it to a secure location.
At this point in the process, you may see the option to
Test sign-in
. If you try to test the single sign-on configuration now, the test will not be successful. You can test your configuration to verify it is correct in step 8.

Add and assign users that you want to require to use Azure AD for authentication.

Select
Azure Active Directory
then select
Users
All users
.
Create a
New user
and enter a
Name
,
User name
.
Select
Show password
, copy the password to a secure location, and
Create
the user.
In the
Palo Alto Networks Cloud Identity Engine - Cloud Authentication Service
integration in the Azure Portal, select
Users and groups
.
Add user
then select
Users and groups
.

Add Azure as an authentication type in the Cloud Identity Engine app.

Select
Authentication Types
and click
Add New Authentication Type
.

Set Up
a
SAML 2.0
authentication type.

Enter a
Profile Name
.

Select
Azure
as your
Identity Provider Vendor
.

Select the method you want to use to

Add Metadata

and

Submit

the IdP profile.

If you want to enter the information manually, copy the identity provider ID and SSO URL, download the certificate, then enter the information in the Cloud Identity Engine IdP profile.
Copy the necessary information from the Azure Portal and enter it in the IdP profile on the Cloud Identity Engine app as indicated in the following table:
Copy or Download From Azure Portal	Enter in Cloud Identity Engine IdP Profile
Copy the Azure AD Identifier .	Enter it as the Identity Provider ID .
Download the Certificate (Base64) .	Click to Upload the certificate from the Azure Portal.
Copy the Login URL .	Enter the URL as the Identity Provider SSO URL .
Select the
HTTP Binding for SSO Request to IdP
method you want to use for the SAML binding that allows the firewall and IdP to exchange request and response messages (
HTTP Redirect
, which transmits SAML messages through URL parameters or
HTTP Post
, which transmits SAML messages using base64-encoded HTML).
Specify the
Maximum Clock Skew (seconds)
, which is the allowed difference in seconds between the system times of the IdP and the firewall at the moment when the firewall validates IdP messages (default is 60; range is 1–900). If the difference exceeds this value, authentication fails.
If you want to upload a metadata file, download the metadata file from your IdP management system.
In Azure Portal,
Download
the
Federation Metadata XML
and
Save
it to a secure location.
In the Cloud Identity Engine app,
Click to upload
the metadata file, then
Open
the metadata file.
If you want to use a URL to retrieve the metadata, copy the
App Federation Metadata Url
. Paste it in the profile and
Fetch
the metadata.
Palo Alto Networks recommends using this method to configure Azure as an IdP.

Select

Multi-factor Authentication is Enabled on the Identity Provider

if your Azure configuration uses multi-factor authentication (MFA).



To require users to log in using their credentials to reconnect to GlobalProtect, enable

Force Authentication

.



Test SAML setup

to verify the profile configuration.



This step is required to confirm that your firewall and IdP can communicate.

Select the SAML attributes you want the firewall to use for authentication and

Submit

the IdP profile.

In the Azure Portal,
Edit
the
User Attributes & Claims
.
In the Cloud Identity Engine app, enter the
Username Attribute
and optionally, the
Usergroup Attribute
,
Access Domain
,
User Domain
, and
Admin Role
, then
Submit
the profile.