Configure Azure as an IdP in the Cloud Identity Engine

Learn how to configure Azure as an identity provider in the Cloud Identity Engine to use in an Authentication profile for user authentication.
  1. Download the Cloud Identity Engine integration in the Azure Portal.
    1. If you have not already done so, activate the Cloud Identity Engine app.
    2. In the Cloud Identity Engine app, select
      Authentication
      SP Metadata
      Download SP Metadata
      and
      Save
      the metadata in a secure location.
    3. Log in to the Azure Portal and select
      Azure Active Directory
      .
      Make sure you complete all the necessary steps in the Azure portal.
      If you have more than one directory,
      Switch directory
      to select the directory you want to use with the Cloud Identity Engine.
    4. Select
      Enterprise applications
      and click
      New application
      .
    5. Add from the gallery
      then enter
      Palo Alto Networks Cloud Identity Engine - Cloud Authentication Service
      and download the Azure AD single-sign on integration.
    6. After the application loads, select
      Users and groups
      , then
      Add user/group
      to
      Assign
      them to this application.
      Select the users and groups you want to have use the Azure IdP in the Cloud Identity Engine for authentication.
      Be sure to assign the account you are using so you can test the configuration when it is complete. You may need to refresh the page after adding accounts to successfully complete the test.
    7. Select
      Single sign-on
      then select
      SAML
      .
    8. Upload Metadata File
      by browsing to the metadata file that you downloaded from the Cloud Identity Engine app and click
      Add
      .
    9. After the metadata uploads,
      Save
      your configuration.
    10. (Optional)
      Edit
      your
      User Attributes & Claims
      to
      Add a new claim
      or
      Edit
      an existing claim.
      If you attempt to test the configuration on the Azure Admin Console, a 404 error displays because the test is triggered by the IdP and the Cloud Identity Engine supports authentication requests initiated by the service provider.
  2. Configure Azure AD for the Cloud Identity Engine.
    1. Select
      single sign-on
      then select
      SAML
      .
    2. Edit
      the
      Basic SAML Configuration
      settings.
    3. Upload metadata file
      and select the metadata file you downloaded from the Cloud Identity Engine in the first step.
    4. Enter your regional endpoint as the
      Sign-on URL
      using the following format:
      https://
      <RegionUrl>
      .paloaltonetworks.com/sp/acs
      (where
      <RegionUrl>
      is your regional endpoint). For more information on regional endpoints, see Configure the Cloud Identity Engine in an Authentication Profile.
    5. Copy
      the
      App Federation Metadata Url
      and save it to a secure location.
  3. Add and assign users that you want to require to use Azure AD for authentication.
    1. Select
      Azure Active Directory
      then select
      Users
      All users
      .
    2. Create a
      New user
      and enter a
      Name
      ,
      User name
      .
    3. Select
      Show password
      , copy the password to a secure location, and
      Create
      the user.
    4. In the
      Palo Alto Networks Cloud Identity Engine - Cloud Authentication Service
      integration in the Azure Portal, select
      Users and groups
      .
    5. Add user
      then select
      Users and groups
      .
  4. Add an IdP Provider profile in the Cloud Identity Engine app.
    1. Select
      Authentication
      Identity Providers
      .
    2. Click
      Add IDP Provider
      .
    3. Enter a
      Profile Name
      .
    4. Select
      Azure
      as your
      IdP Vendor
      .
  5. Select the method you want to use to
    Add Metadata
    and
    Submit
    the IdP profile.
    • If you want to enter the information manually, copy the identity provider ID and SSO URL, download the certificate, then enter the information in the Cloud Identity Engine IdP profile.
      1. Copy the necessary information from the Azure Portal and enter it in the IdP profile on the Cloud Identity Engine app as indicated in the following table:
        Copy or Download From Azure Portal
        Enter in Cloud Identity Engine IdP Profile
        Copy the
        Azure AD Identifier
        .
        Enter it as the
        Identity Provider ID
        .
        Download
        the
        Certificate (Base64)
        .
        Click to Upload
        the certificate from the Azure Portal.
        Copy the
        Login URL
        .
        Enter the URL as the
        Identity Provider SSO URL
        .
      2. Select the
        HTTP Binding for SSO Request to IdP
        method you want to use for the SAML binding that allows the firewall and IdP to exchange request and response messages (
        HTTP Redirect
        , which transmits SAML messages through URL parameters or
        HTTP Post
        , which transmits SAML messages using base64-encoded HTML).
      3. Specify the
        Maximum Clock Skew (seconds)
        , which is the allowed difference in seconds between the system times of the IdP and the firewall at the moment when the firewall validates IdP messages (default is 60; range is 1–900). If the difference exceeds this value, authentication fails.
    • If you want to upload a metadata file, download the metadata file from your IdP management system.
      1. In Azure Portal,
        Download
        the
        Federation Metadata XML
        and
        Save
        it to a secure location.
      2. In the Cloud Identity Engine app,
        Click to upload
        the metadata file, then
        Open
        the metadata file.
    • If you want to use a URL to retrieve the metadata, copy the
      App Federation Metadata Url
      . Paste it in the profile and
      Fetch
      the metadata.
      Palo Alto Networks recommends using this method to configure Azure as an IdP.
  6. Test SAML setup
    to verify the profile configuration.
    This step is required to confirm that your firewall and IdP can communicate.
  7. Select
    MFA is enabled on the IDP
    .
  8. Select the SAML attributes you want the firewall to use for authentication and
    Submit
    the IdP profile.
    1. In the Azure Portal,
      Edit
      the
      User Attributes & Claims
      .
    2. In the Cloud Identity Engine app, enter the
      Username Attribute
      and optionally, the
      Usergroup Attribute
      ,
      Access Domain
      ,
      User Domain
      , and
      Admin Role
      , then
      Submit
      the profile.

Recommended For You