Strata Copilot
    Common Services: Identity and Access
    : Configure Custom SAML Role Mapping
    Focus
    Download PDF
    Focus
    1. Home
    2. Common Services
    3. Common Services: Identity and Access
    4. Manage Third-Party Identity Provider Integrations Through Common Services
    5. Configure Custom SAML Role Mapping
    Download PDF

    Common Services: Identity and Access

    Configure Custom SAML Role Mapping

    Table of Contents

    Configure Custom SAML Role Mapping

    Learn how to configure custom SAML role mapping to map third-party identity provider attribute values to Strata Cloud Manager roles.
    • You must have an identity federation configured and enabled.
    • You must have mapped the relevant tenants for authorization.
    Custom SAML role mapping will enable customers to assign Strata Cloud Manager roles to users based on attribute values from your third-party identity provider, such as group membership, or memberOf attributes. Instead of configuring Strata Cloud Manager-specific access policy values in your third-party identity provider, you define the mapping directly within Strata Cloud Manager. When users authenticate, Strata Cloud Manager evaluates the SAML attribute values in their assertion and automatically assigns the corresponding roles.
    1. Select System SettingsIdentity FederationFederated Role Mapping.
    2. Select the tenant where you want to configure role mapping.
      Only those tenants that are mapped to Identity Federation for authorization will show up in the drop-down.
    3. Select Add Role Mapping.
    4. In the Attribute Value field, enter the value from your third-party identity provider that identifies the users to whom the role mapping applies.
      This value corresponds to a role or group name provided by your third-party identity provider through any of the supported SAML attributes: memberOf, strataCloudManagerRoles, or groups. When determining the roles to grant a user, Strata Cloud Manager evaluates the combined set of values from all three attributes (set union). For example, if your identity provider assigns users to a group named NetworkAdmins through any of these attributes, enter NetworkAdmins.
    5. Select the Role to assign to users whose SAML assertion contains the matching attribute value.
    6. Select the scope that defines where the role applies within your tenant hierarchy.
    7. Select Save.
      Users who authenticate with a matching attribute value in their SAML assertion automatically receive the assigned role and scope when they access Strata Cloud Manager.

    © 2026 Palo Alto Networks, Inc. All rights reserved.