Cloud NGFW for Azure
    : Integrate Single Sign-on
    Focus
    Download PDF
    Focus
    1. Home
    2. Azure
    3. Cloud NGFW for Azure
    4. Getting Started with Cloud NGFW for Azure
    5. Integrate Single Sign-on
    Download PDF

    Cloud NGFW for Azure

    Integrate Single Sign-on

    Table of Contents

    Integrate Single Sign-on

    Integrate your organization’s SSO login flow with your Palo Alto Networks Customer Support Portal (CSP) account for your Azure Cloud NGFW subscription.
    You can integrate your organization’s SSO login flow with your Palo Alto Networks Customer Support Portal (CSP) account for your Azure Cloud NGFW subscription.

    Enable Third Party Identity Provider (IDP)

    Enabling a third party identity provider (IDP) in the Customer Support Portal (CSP) allows you to log into the Palo Alto Networks Customer Support Portal (CSP) using your own corporate login credentials. Because you set up IDP at the domain level, members within the domain can log into multiple CSP accounts using corporate SSO login credentials. However,
    domain administrator accounts
     must continue to use Palo Alto Networks login credentials.
    To enable third party IDP for your domain:
    • You must have the domain administrator role in the CSP to configure third-party IDP access for your account.
    • You must have administrator access on the identity provider to update the SSO configuration details provided by Palo Alto Networks.
    • You need one non-domain administrator account for verification.
    1. Log into the Azure Portal and search for
      Active Directory
      .
    2. In Active Directory, select
      Enterprise Application
      and select
      New Application
      .
    3. Enter the name for your SSO application (for example, panorama-sso) and click
      Create
      .
    4. In the
      Create your own application window
      , select
      Integrate any other application you don't find in the gallery (Non-gallery)
      .
    5. Click
      Create
      .
    6. In the
      Manage
       section, click
      Single sign-on
      .
    7. Select the
      SAML
       single sign-on method. The SAML-based sign-on page contains information you need to link your new SSO enterprise application to your Palo Alto Networks CSP account.
    8. In the SAML-based sign-on page, scroll down to locate URLs in the
      Set up [your SSO application name]
      section. Copy the
      Azure AD Identifier
      .
    9. Login to the CSP.
    10. In the CSP, select
      Account Management > Account Details
      .
    11. In the
      SSO
       section, click
      View Single Sign-On settings for your domain
      .
    12. In
      Accounts Configuration
      , paste the copied
      Azure AD identifier
       from step 8 into the
      Identifier Provider ID
       field.
    13. Return to the
      SAML-based Sign-on screen
       in the Azure portal. Scroll down to locate URLs in the
      Set up [your SSO application name]
      section. Copy the
      Login URL
      .
    14. Return to the
      Accounts Configuration
       page in the CSP. Paste the copied
      Login URL
       (from the previous step) into the
      Identity Provider SSO Service URL
       field.
    15. Use the same
      Identity Provider SSO Service URL
       address for the
      Identity Provider Destination URL
       field.
    16. Return to the
      SAML-based Sign-on
      screen in the Azure portal. Scroll down to locate the
      SAML Certificates
      section.
    17. In the SAML Certificates section, download the
      Certificate (Base64)
      .
    18. Return to the
      Account Management > Account Details
       page in the CSP. Paste the downloaded certificate (from the previous step) into the
      Identity Provider Certificate
       field.
    19. The
      Accounts Configuration
       page changes to display
      Palo Alto Service Provider Information
      . Copy the
      Entity ID
       URL.
    20. Return to the
      SAML-based Sign-on screen
      in the Azure portal.
    21. In the
      Basic SAML Configuration
       screen, click
      Edit
      .
    22. In the
      Identifier (Entity ID)
       field, click
      Add Identifier
      .
    23. Paste the Palo Alto Networks
      Entity ID
       (from step 21) into the
      Identifier
      field.
    24. Return to the
      Account Management > Account Details
       page in the CSP. Copy the
      ACS URL
      .
    25. Return to the
      SAML-based Sign-on screen
      in the Azure portal.
    26. In the
      Basic SAML Configuration
       screen, click
      Edit
      .
    27. Enter the ACS URL (copied from step 24) into the
      Reply URL (Assertion Consumer Service URL)
      .
    28. Return to the CSP
      Accounts Configuration
       page. Use the toggle button to
      Enable Identity Provider
      .
    29. Click
      Save
      .
    30. Return to the Azure Portal. In the
      Manage
      section of your SSO application, click
      Users and groups
      .
    31. Use the
      Add user/group
      option to enable use of SSO login for each specified user.

    Verify SSO Login

    After enabling the identity provider, all users (except domain administrators) are forced to login using SSO. To verify that SSO login is setup properly:
    • Provide an email address on the login page. Do not use domain administrator login credentials.
    • Verify that you’re redirected to the IDP login page for authentication.
    • After authentication, the Palo Alto Networks Customer Support Portal page appears.

    Integrate SSO with CSP for a non-domain user using Azure Marketplace

    To integrate a user with a CSP account using Azure Marketplace:
    1. Login to your Azure account.
    2. In
      Azure Services
      , select
      Cloud NGFWs by Palo Alto Networks
      .
    3. Select the firewall that you want to integrate with your CSP account.
    4. In the
      Support + troubleshooting
       section, click
      New Support Request
      . The Palo Alto Networks Support screen appears, displaying the
      Tenant ID
       and the
      Product serial number
      .
    5. Click
      Register User account and create a case at Customer Support Portal
      .
    6. On the
      Create New Account / Use Existing Account
      page, enter your email address and complete the authentication steps, then click
      Next
      .
    7. In the
      Device Registration
       section, select the
      Cloud Marketplace
      subscription from the drop-down menu. For example,
      Azure Cloud NGFW
      .
    8. Enter the
      Tenant ID
       and
      Serial Number
       for your Azure Marketplace subscription. You can copy this information from the Palo Alto Support page from Step 4. Click
      Next
      .
    9. Enter the
      Authentication code
       that was sent to your email address. Click
      Next
      .
    10. After authenticating using SSO, the CSP login page appears. Enter your email address and click
      Next
      .

    Integrate SSO with CSP for a domain user using Azure Marketplace

    To integrate a
    domain user
    with a CSP account using Azure Marketplace you’ll need your Palo Alto Networks login credentials:
    1. Login to your Azure account using
      domain user credentials
      .
    2. In
      Azure Services
      , select
      Cloud NGFWs by Palo Alto Networks
      .
    3. Select the firewall that you want to integrate with your CSP account.
    4. In the
      Support + troubleshooting
       section, click
      New Support Request
      . The Palo Alto Networks Support screen appears, displaying the
      Tenant ID
       and the
      Product serial number
    5. Click
      Register User account and create a case at Customer Support Portal
      .
    6. On the
      Create New Account / Use Existing Account
      page, enter your email address and complete the authentication steps, then click
      Next
      .
    7. In the
      Device Registration
       section, select the
      Cloud Marketplace
      subscription from the drop-down menu. For example,
      Azure Cloud NGFW
      .
    8. Enter the
      Tenant ID
       and
      Serial Number
       for your Azure Marketplace subscription. You can copy this information from the Palo Alto Support page from Step 4. Click
      Next
      .
    9. Enter the
      Authentication code
       that was sent to your email address. Click
      Next
      .
    10. After authenticating using SSO, the CSP login page appears. Enter your email address and click
      Next
      .

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.