Focus

Common Services: Identity and Access

Configure Entra ID SAML Integration for Authentication Only

Table of Contents

Configure Entra ID SAML Integration for Authentication Only

Configure SAML integration where Microsoft Entra ID handles user authentication while roles and permissions are managed within the platform.

This section describes how to configure a Security Assertion Markup Language (SAML) integration where Microsoft Entra ID acts as the identity provider and the SCM platform acts as the Service Provider (SP). In this setup, Entra ID handles both user authentication and authorization—users sign in through Entra ID, and their roles and permissions are also defined and managed there.

Add and verify your domain.

This step establishes the trust boundary between your tenant and domain through DNS verification. You add your organization's domain and verify ownership by adding a DNS TXT record. This verification is required for creating an identity federation and is the foundation for all subsequent SSO configuration.
1. Use one of the various ways to access Common ServicesIdentity & Access.
2. Select Identity & Access.
3. Select Identity & Access/Access ManagementIdentity FederationsAdd Identity Federation to add an identity federation.
4. Add the Domain information for your enterprise.
  
  The character limit is 50. Special characters are not allowed, with the exception of "-" and "."
5. Select Next.
6. Follow the Instructions for Verification to add a DNS record within your domain name provider.
  Copy the TXT record from Common Services.
  Select Finish.
  Go to your domain provider's console and paste the TXT record, so that Palo Alto Networks can verify that you are an owner of the domain.
  (Optional) In the domain provider's console, revise your identity provider's time to live (TTL) setting if you need a faster refresh rate. The TTL setting impacts, for example, how long it takes to verify ownership of the identity federation.
7. In Common Services, select Verify Now to verify ownership of the identity federation.
Download the SAML metadata.

After you add an identity federation, you can configure Palo Alto Networks as a service provider by downloading the service provider (SP) metadata from Common Services. The SP metadata helps you configure your identity provider integration with Palo Alto Networks as an SP, so that you don't have to provide the details manually.
1. Use one of the various ways to access Common ServicesIdentity & Access.
2. Select Identity & Access/Access ManagementIdentity Federations.
3. Scroll to your identity federation and select Download SP Metadata.
Save the metadata file in a secure location. You need this file to upload to Entra ID. The metadata file contains the Entity ID, Assertion Consumer Service (ACS) URL, and certificate that Entra ID needs to send SAML assertions.
Create an enterprise application in Entra ID and configure it to use SAML for single sign-on.
1. Log in to the Entra ID Portal with your Cloud Application Administrator or Application Administrator account.
2. Select Enterprise applications.
3. Select the application that you enabled for SAML authentication.
4. In the enterprise application, go to Single sign-onSet up Single Sign-On.
5. Select SAML.
6. On the SAML configuration page, click Upload metadata file and select the metadata file you downloaded in the previous step.
7. After uploading the metadata, verify that the following fields are correctly populated in the Basic SAML Configuration section:
  Identifier (Entity ID)—Should match the Entity ID from the metadata
  Reply URL (ACS URL)—Should be the SAML assertion consumer service endpoint
  Logout URL—Should be the logout endpoint
8. If any field is incorrect, click Edit in the Basic SAML Configuration section and update the values to match the metadata.
Create users and groups in Entra ID and map the user group to the enterprise application to authorize which users can access the platform.
1. In the Entra ID portal, open the enterprise application that you created.
2. Add new users to the application.
3. Create a new user group and assign users to the group.
4. Assign the user group to the enterprise application.
Configure SAML claims in Entra ID to pass user information during authentication.
1. In the Entra ID portal, open the enterprise application you created and select Single sign-onAttributes & Claims.
2. Remove all existing claims and add the following new claims:
  
  Claim Name Claim Value
  
  firstName user.firstName
  
  lastName user.lastName
  
  email user.email
3. Click Save to apply all changes.
4. Click Download next to Federation Metadata XML to download the Entra ID metadata file.
  
  Save the metadata file in a secure location. You need this file to upload to the platform.
Upload the Entra ID metadata to complete the integration.
1. Use one of the various ways to access Common ServicesIdentity & Access.
2. Select Common ServicesIdentity & AccessIdentity Federations.
3. Select Configure Identity Provider.
4. Select Upload Metadata and choose the file downloaded in the previous step.
5. After the provider profile fields auto-populate, select Finish.
6. The Configure Identity Provider button is replaced with the Login URL. Select ActionsEnable.
  
  The Login URL is how Palo Alto Networks knows where to send the user when they log in. This is disabled by default.
Add users and assign roles in the platform.

Add all the Entra ID users for whom you want to define access roles. Since this is an authentication-only setup, you must manage user roles and permissions within the platform.

Ensure the user email ID precisely matches the corresponding user email ID in Entra ID to guarantee correct identity mapping during authentication.
1. Add users.
2. Assign roles.