Configure Azure as an IdP in the Cloud Identity Engine
Table of Contents
Expand all | Collapse all
- Get Help
Configure Azure as an IdP in the Cloud Identity Engine
Learn how to configure Azure as an identity provider
in the Cloud Identity Engine to use as an authentication type for
user authentication.
- Download the Cloud Identity Engine integration in the Azure Portal.
- If you have not already done so, activate the Cloud Identity Engine app.
- In the Cloud Identity Engine app, selectandAuthenticationSP MetadataDownload SP MetadataSavethe metadata in a secure location.
- Log in to the Azure Portal and selectAzure Active Directory.Make sure you complete all the necessary steps in the Azure portal.If you have more than one directory,Switch directoryto select the directory you want to use with the Cloud Identity Engine.
- SelectEnterprise applicationsand clickNew application.
- Add from the gallerythen enterPalo Alto Networks Cloud Identity Engine - Cloud Authentication Serviceand download the Azure AD single-sign on integration.
- After the application loads, selectUsers and groups, thenAdd user/grouptoAssignthem to this application.Select the users and groups you want to have use the Azure IdP in the Cloud Identity Engine for authentication.Be sure to assign the account you are using so you can test the configuration when it is complete. You may need to refresh the page after adding accounts to successfully complete the test.
- SelectSingle sign-onthen selectSAML.
- Upload Metadata Fileby browsing to the metadata file that you downloaded from the Cloud Identity Engine app and clickAdd.
- After the metadata uploads,Saveyour configuration.
- (Optional)EdityourUser Attributes & ClaimstoAdd a new claimorEditan existing claim.If you attempt to test the configuration on the Azure Admin Console, a 404 error displays because the test is triggered by the IdP and the Cloud Identity Engine supports authentication requests initiated by the service provider.
- Configure Azure AD for the Cloud Identity Engine.
- SelectSingle sign-onthen selectSAML.
- EdittheBasic SAML Configurationsettings.
- Upload metadata fileand select the metadata file you downloaded from the Cloud Identity Engine in the first step.
- Enter your regional endpoint as theSign-on URLusing the following format:https://(where<RegionUrl>.paloaltonetworks.com/sp/acs<RegionUrl>is your regional endpoint). For more information on regional endpoints, see Configure Cloud Identity Engine Authentication on the Firewall or Panorama.
- CopytheApp Federation Metadata Urland save it to a secure location.At this point in the process, you may see the option toTest sign-in. If you try to test the single sign-on configuration now, the test will not be successful. You can test your configuration to verify it is correct in step 8.
- Add and assign users that you want to require to use Azure AD for authentication.
- SelectAzure Active Directorythen select.UsersAll users
- Create aNew userand enter aName,User name.
- SelectShow password, copy the password to a secure location, andCreatethe user.
- In thePalo Alto Networks Cloud Identity Engine - Cloud Authentication Serviceintegration in the Azure Portal, selectUsers and groups.
- Add userthen selectUsers and groups.
- Add Azure as an authentication type in the Cloud Identity Engine app.
- SelectAuthentication Typesand clickAdd New Authentication Type.
- Set UpaSAML 2.0authentication type.
- Enter aProfile Name.
- SelectAzureas yourIdentity Provider Vendor.
- Select the method you want to use toAdd MetadataandSubmitthe IdP profile.
- If you want to enter the information manually, copy the identity provider ID and SSO URL, download the certificate, then enter the information in the Cloud Identity Engine IdP profile.
- Copy the necessary information from the Azure Portal and enter it in the IdP profile on the Cloud Identity Engine app as indicated in the following table:Copy or Download From Azure PortalEnter in Cloud Identity Engine IdP ProfileCopy theAzure AD Identifier.Enter it as theIdentity Provider ID.DownloadtheCertificate (Base64).Click to Uploadthe certificate from the Azure Portal.Copy theLogin URL.Enter the URL as theIdentity Provider SSO URL.
- Select theHTTP Binding for SSO Request to IdPmethod you want to use for the SAML binding that allows the firewall and IdP to exchange request and response messages (HTTP Redirect, which transmits SAML messages through URL parameters orHTTP Post, which transmits SAML messages using base64-encoded HTML).
- Specify theMaximum Clock Skew (seconds), which is the allowed difference in seconds between the system times of the IdP and the firewall at the moment when the firewall validates IdP messages (default is 60; range is 1–900). If the difference exceeds this value, authentication fails.
- If you want to upload a metadata file, download the metadata file from your IdP management system.
- In Azure Portal,DownloadtheFederation Metadata XMLandSaveit to a secure location.
- In the Cloud Identity Engine app,Click to uploadthe metadata file, thenOpenthe metadata file.
- If you want to use a URL to retrieve the metadata, copy theApp Federation Metadata Url. Paste it in the profile andFetchthe metadata.Palo Alto Networks recommends using this method to configure Azure as an IdP.
- SelectMulti-factor Authentication is Enabled on the Identity Providerif your Azure configuration uses multi-factor authentication (MFA).
- To require users to log in using their credentials to reconnect to GlobalProtect, enableForce Authentication.
- Test SAML setupto verify the profile configuration.This step is required to confirm that your firewall and IdP can communicate.
- Select the SAML attributes you want the firewall to use for authentication andSubmitthe IdP profile.
- In the Azure Portal,EdittheUser Attributes & Claims.
- In the Cloud Identity Engine app, enter theUsername Attributeand optionally, theUsergroup Attribute,Access Domain,User Domain, andAdmin Role, thenSubmitthe profile.