Common Services: Identity and Access
    : Manage Third-Party Identity Provider Integrations Through Common Services
    Focus
    Download PDF
    Focus
    1. Home
    2. Common Services
    3. Common Services: Identity and Access
    4. Manage Third-Party Identity Provider Integrations Through Common Services
    Download PDF

    Common Services: Identity and Access

    Manage Third-Party Identity Provider Integrations Through Common Services

    Table of Contents

    Manage Third-Party Identity Provider Integrations Through Common Services

    Learn how to manage Third-Party Identity Provider Integrations through Common Services, such as: adding, updating, and deleting SAML identity providers.
    Common Services: Identity and Access enables you to integrate and use a third-party identity provider (IdP) to manage access to supported applications and services, rather than adding users directly to the platform itself. This provide a seamless single sign-on (SSO) experience for your users.
    Enabling third-party IDP federation through Common Services: Identity and Access affects applications and sites that get redirected to sso.paloaltonetworks.com for single sign-on. For a full list of supported applications and services, see Who Can Use Identity and Access.
    • Add an Identity Federation to integrate with a third-party identity provider (IDP) to allow access to the platform, rather than adding users directly to the platform itself. Identity Federation enables users of different enterprises or domains to use the same digital identity to access all their applications.
    • After you add an identity federation, you can configure a Security Assertion Markup Language (SAML) provider in one of the following ways:
      SAML IDP-initiated flow is not supported for Strata Cloud Manager. Compared to SP-initiated SSO, IdP-Initiated SSO is less secure. It's susceptible to injected assertions, where an attacker steals a SAML assertion and injects it into the service provider.
    • After you add an identity federation, you can Add Additional Identity Federation Owners who can also manage the domain and the identity federation.
    • After adding identity federation owners, you can also Delete Identity Federation Owners who no longer need to manage the domain and the identity federation.
    • After you add an identity federation, you can Configure Palo Alto Networks as a Service Provider by downloading the service provider (SP) metadata from Common Services. The SP metadata helps you configure your identity provider integration with Palo Alto Networks as an SP, so that you don’t have to provide the details manually.
    • Delete an Identity Federation if you no longer need it.
    • If you want to grant authorization to your users by passing the login information through your Security Assertion Markup Language (SAML) provider, you can Map a Tenant for Authorization. By using the tenant mapping, you no longer have to add users and access directly through Common Services, but that option is still available.
    • After you map tenants for authorization, you can Update Tenant Mapping for Authorization if you need to make changes.
    • When assigning an access policy to a user or a service account (such as in mapping a tenant for SAML authorization purposes), the PAN Resource Name Mapping identifies the tenant or tenant service group (TSG) hierarchy where you are applying access policies.

    © 2025 Palo Alto Networks, Inc. All rights reserved.