Integrate Single Sign-on
Table of Contents
Expand all | Collapse all
-
- Cloud NGFW for Azure
- Cloud NGFW Components
- Cloud NGFW for Azure Supported Regions
- Cloud NGFW for Azure Limits and Quotas
- Cloud NGFW for Azure Pricing
- Cloud NGFW for Azure Free Trial
- Cloud NGFW Credit Distribution and Management
- Start with Cloud NGFW for Azure
- Manage Cloud NGFW Roles for Azure Users
- Integrate Single Sign-on
- Monitor Cloud NGFW Health
- Create a Support Case
- Register Your Cloud NGFW Tenant with a Palo Alto Networks Support Account
- Cloud NGFW for Azure Certifications
- Cloud NGFW For Azure Privacy and Data Protection
-
- About Rulestacks and Rules on Cloud NGFW for Azure
- Create a Rulestack on Cloud NGFW for Azure
- Cloud NGFW for Azure Security Rule Objects
- Create a Prefix List on Cloud NGFW for Azure
- Create an FQDN List for Cloud NGFW on Azure
- Add a Certificate to Cloud NGFW for Azure
- Create Security Rules on Cloud NGFW for Azure
- Cloud NGFW for Azure Security Services
- Enable DNS Security on Cloud NGFW for Azure
- Set Up Outbound Decryption on Cloud NGFW for Azure
- Set Up Inbound Decryption on Cloud NGFW for Azure
-
- Panorama Integration
- Panorama Integration Prerequisites
- Link the Cloud NGFW to Palo Alto Networks Management
- Use Panorama for Cloud NGFW Policy Management
- Enable User-ID on the Cloud NGFW for Azure
- Configure Service Routes for On-Prem Services
- Use XFF IP Address Values in Policy
- View Cloud NGFW Logs and Activity in Panorama
- Strata Cloud Manager Policy Management
-
- Configure Logging for Cloud NGFW on Azure
- Cloud NGFW for Azure Traffic Log Fields
- Cloud NGFW for Azure Threat Log Fields
- Cloud NGFW for Azure Decryption Log Fields
- Enable Log Settings
- Disable Log Settings
- Enable Activity Logging on Cloud NGFW for Azure
- Multiple Logging Destinations on Cloud NGFW for Azure
- View the Logs
- View Audit Logs on a Firewall Resource
- View Audit Logs on Resource Groups
- What's New
- Cloud NGFW for Azure Known Issues
- Cloud NGFW for Azure Addressed Issues
Integrate Single Sign-on
Integrate your organization’s SSO login flow with your Palo Alto Networks Customer
Support Portal (CSP) account for your Azure Cloud NGFW subscription.
You can integrate your organization’s SSO login flow with your Palo Alto Networks
Customer Support Portal (CSP) account for your Azure
Cloud NGFW subscription.
Enable Third Party Identity Provider (IDP)
Enabling a third party identity provider (IDP) in the Customer Support Portal
(CSP) allows you to log into the Palo Alto Networks Customer Support Portal
(CSP) using your own corporate login credentials. Because you set up IDP at the
domain level, members within the domain can log into multiple CSP accounts using
corporate SSO login credentials. However, domain administrator accounts
must continue to use Palo Alto Networks login credentials.
To enable third party IDP for your domain:
- You must have the domain administrator role in the CSP to configure third-party IDP access for your account.
- You must have administrator access on the identity provider to update the SSO configuration details provided by Palo Alto Networks.
- You need one non-domain administrator account for verification.
- Log into the Azure Portal and search for Active Directory.In Active Directory, select Enterprise Application and select New Application.Enter the name for your SSO application (for example, panorama-sso) and click Create.In the Create your own application window, select Integrate any other application you don't find in the gallery (Non-gallery).Click Create.In the Manage section, click Single sign-on.Select the SAML single sign-on method. The SAML-based sign-on page contains information you need to link your new SSO enterprise application to your Palo Alto Networks CSP account.In the SAML-based sign-on page, scroll down to locate URLs in the Set up [your SSO application name] section. Copy the Azure AD Identifier .Login to the CSP.In the CSP, select Account Management > Account Details.In the SSO section, click View Single Sign-On settings for your domain.In Accounts Configuration, paste the copied Azure AD identifier from step 8 into the Identifier Provider ID field.Return to the SAML-based Sign-on screen in the Azure portal. Scroll down to locate URLs in the Set up [your SSO application name] section. Copy the Login URL.Return to the Accounts Configuration page in the CSP. Paste the copied Login URL (from the previous step) into the Identity Provider SSO Service URL field.Use the same Identity Provider SSO Service URL address for the Identity Provider Destination URL field.Return to the SAML-based Sign-on screen in the Azure portal. Scroll down to locate the SAML Certificates section.In the SAML Certificates section, download the Certificate (Base64).Return to the Account Management > Account Details page in the CSP. Paste the downloaded certificate (from the previous step) into the Identity Provider Certificate field.The Accounts Configuration page changes to display Palo Alto Service Provider Information. Copy the Entity ID URL.Return to the SAML-based Sign-on screen in the Azure portal.In the Basic SAML Configuration screen, click Edit.In the Identifier (Entity ID) field, click Add Identifier.Paste the Palo Alto Networks Entity ID (from step 21) into the Identifier field.Return to the Account Management > Account Details page in the CSP. Copy the ACS URL.Return to the SAML-based Sign-on screen in the Azure portal.In the Basic SAML Configuration screen, click Edit.Enter the ACS URL (copied from step 24) into the Reply URL (Assertion Consumer Service URL).Return to the CSP Accounts Configuration page. Use the toggle button to Enable Identity Provider.Click Save.Return to the Azure Portal. In the Manage section of your SSO application, click Users and groups.Use the Add user/group option to enable use of SSO login for each specified user.
Verify SSO Login
After enabling the identity provider, all users (except domain administrators) are forced to login using SSO. To verify that SSO login is setup properly:- Provide an email address on the login page. Do not use domain administrator login credentials.
- Verify that you’re redirected to the IDP login page for authentication.
- After authentication, the Palo Alto Networks Customer Support Portal page appears.
Integrate SSO with CSP for a non-domain user using Azure Marketplace
To integrate a user with a CSP account using Azure Marketplace:- Login to your Azure account.In Azure Services, select Cloud NGFWs by Palo Alto Networks.Select the firewall that you want to integrate with your CSP account.In the Support + troubleshooting section, click New Support Request. The Palo Alto Networks Support screen appears, displaying the Tenant ID and the Product serial number.Click Register User account and create a case at Customer Support Portal.On the Create New Account / Use Existing Account page, enter your email address and complete the authentication steps, then click Next.In the Device Registration section, select the Cloud Marketplace subscription from the drop-down menu. For example, Azure Cloud NGFW.Enter the Tenant ID and Serial Number for your Azure Marketplace subscription. You can copy this information from the Palo Alto Support page from Step 4. Click Next.Enter the Authentication code that was sent to your email address. Click Next.After authenticating using SSO, the CSP login page appears. Enter your email address and click Next.
Integrate SSO with CSP for a domain user using Azure Marketplace
To integrate a domain user with a CSP account using Azure Marketplace you’ll need your Palo Alto Networks login credentials:- Login to your Azure account using domain user credentials.In Azure Services, select Cloud NGFWs by Palo Alto Networks.Select the firewall that you want to integrate with your CSP account.In the Support + troubleshooting section, click New Support Request. The Palo Alto Networks Support screen appears, displaying the Tenant ID and the Product serial numberClick Register User account and create a case at Customer Support Portal.On the Create New Account / Use Existing Account page, enter your email address and complete the authentication steps, then click Next.In the Device Registration section, select the Cloud Marketplace subscription from the drop-down menu. For example, Azure Cloud NGFW.Enter the Tenant ID and Serial Number for your Azure Marketplace subscription. You can copy this information from the Palo Alto Support page from Step 4. Click Next.Enter the Authentication code that was sent to your email address. Click Next.After authenticating using SSO, the CSP login page appears. Enter your email address and click Next.