Enterprise IoT Security Administrator’s Guide
    : Add Enterprise IoT Security Users
    Focus
    Download PDF
    Focus
    1. Home
    2. IoT
    3. Enterprise IoT Security Administrator’s Guide
    4. Get Started with Enterprise IoT Security
    5. Add Enterprise IoT Security Users
    Download PDF

    Enterprise IoT Security Administrator’s Guide

    Add Enterprise IoT Security Users

    Table of Contents

    Add Enterprise IoT Security Users

    Create Enterprise IoT Security users, assign user roles, and view users in the Enterprise IoT Security portal.
    When users log in to the Enterprise IoT Security portal using single sign-on (SSO), they go through a two-step process. In step 1, an SSO identity provider (IdP) authenticates users by verifying their credentials. In step 2, users are authorized and provided with a role to access Enterprise IoT Security.
    When users log in to the Enterprise IoT Security portal using Palo Alto Networks SSO, their credentials are verified against user accounts in the Customer Service Portal (CSP). Then their user role is assigned according to the Identity & Access section of the hub. User roles determine what they can see and do in the portal. These user roles are referred to as “externally managed user roles” in contrast to “internally managed user roles”, which are assigned in the Enterprise IoT Security portal and are described in a later section.
    In addition, Enterprise IoT Security also provides an option to verify users against an Active Directory (AD) authentication system through SSO. In this case, user accounts are in Active Directory, which verifies user credentials on behalf of Enterprise IoT Security. You can manage the role of a given user in two different ways, similar to the Palo Alto Networks SSO: (1) managed internally by Enterprise IoT Security or (2) managed externally by Active Directory.
    External roles are managed in the AD instead of the hub as done in the Palo Alto Networks SSO option.
    Because the user role can be managed in two different places, when users log in through an SSO, Enterprise IoT Security might find their external roles are different from their internal roles. In such cases, whichever role is higher takes precedence.
    Enterprise IoT Security supports role-based access control (RBAC) for administrative users. For information about user roles, see User Roles for IoT Security

    Authenticate Users with the Palo Alto Networks SSO and Manage User Roles in the Hub

    Enterprise IoT Security supports role-based access control (RBAC) through App Administrator, Instance Administrator, Owner, Administrator, and Read-only roles. Creating users for the Enterprise IoT Security application involves three steps:
    • Create a user account in the Customer Support Portal
    • Assign a user role in the hub
    • (For Administrator and Read-only users) Allow access to all sites or a subset of sites
    1. Log in to the Customer Support Portal with superuser permissions, which allow you to create new user accounts.
    2. Click
      Members
      Create New User
      , enter the required information, and then
      Submit
      .
      A new user account is created and added to the account as a member. An email notification is sent to the new user with login credentials.
    3. Log in to the hub.
    4. Click the gear icon in the upper right of the hub landing page and then
      Access Management
      .
    5. Expand the IoT Security section in the left panel, select the Enterprise IoT Security instance to which you want to assign the user, select the check box for the user account you just created, and then
      Assign Roles
      .
    6. Select
      IoT Security
       in the left panel to display the IoT Security role assignment window in the main panel.
    7. Choose one of the following roles from the Role drop-down list:
      App Administrator
      Instance Administrator
      Owner
      Administrator
      Read only
    8. For information about these user roles, click
      Role Definitions
      .
      To learn more about the App Administrator and Instance Administrator roles, which are common roles for all Palo Alto Networks apps and provide the same privileges in IoT Security as Owner, see Available Roles. To learn more about the Owner, Administrator, and Read only roles, which are specific to IoT Security, see User Roles for IoT Security.

    Authenticate Users with an Active Directory SSO and Manage User Roles in Active Directory

    1. Prepare the authentication system.
      Before you configure Enterprise IoT Security, prepare your Active Directory to communicate with it and export the identity provider (IdP) metadata file that Enterprise IoT Security will need to communicate with the IdP.
      1. Configure your IdP with the following URLs, replacing the
        tenant-id
        variable with your own tenant ID, which is the first part of your Enterprise IoT Security portal URL:
        https://tenant-id.iot.paloaltonetworks.com/login
        Depending on how you configure your IdP, either point it to the IoT Security metadata URL to retrieve all the necessary data or enter the information separately.
        • Assertion Consumer Service (ACS)
           – This is the destination to which the IdP sends authentication assertions in response to user authentication requests.
          https://tenant-id.iot.paloaltonetworks.com/v0.3/zauth/saml2_sso/acs
        • Entity ID
           – This is the URL that uniquely identifies the Zingbox SP.
          https://tenant-id.iot.paloaltonetworks.com/v0.3/zauth/saml2_sso/metadata
        • Palo Alto Networks Metadata
           – This file includes the ACS URL and entity ID plus other parameters such as its public Security Assertion Markup Language (SAML) 2.0 encryption key.
          https://tenant-id.iot.paloaltonetworks.com/v0.3/zauth/saml2_sso/metadata
        To see the URLs with your specific tenant ID, follow steps 1-2 in the next section and then copy the URLs in the Service Provider (SP) Configuration Details section.
      2. Either copy and save the URL where IoT Security can import the IdP metadata file from your SSO authentication system or download the file and save it in XML format. You will later import it to the Enterprise IoT Security portal.
    2. Prepare Enterprise IoT Security to use an externally managed SSO.
      1. Log in to the Enterprise IoT Security portal as an owner, navigate to
        Administration
        User Accounts
        , and then
        Manage SSO
        .
        Palo Alto Networks is the default SSO identity provider (IdP) that authenticates users accessing the Enterprise IoT Security portal and assigns user roles to them.
      2. To add a user-configured SSO,
        Add New SSO
        , and then enter the following in the Single Sign-on Configuration dialog box that appears:
        Name
        : Enter a name for the SSO. It can be up to 16 characters. This name will appear on the login page as shown in the Preview below.
        Logo (Optional)
        : Upload an image file to display next to the SSO name on the login page as shown in the Preview. The image file can be up to 2 MB and must be in .bmp, .jpg, or .png format.
        IdP Metadata
        : Either enter the URL of the IdP metadata file you copied and saved earlier or click
        Choose file
        , navigate to the XML file you exported from your authentication system, and select it.
      3. Validate the IdP metadata URL or uploaded file.
        Validating the IdP metadata URL activates the
        Save
         and
        Test
         buttons.
      4. Configure the following settings to identify AD user groups whose users you want Active Directory to authorize. If you leave them empty, Enterprise IoT Security authorizes them locally.
        Attribute to get AD Groups
        : Enter the attribute in the SAML 2.0 response that identifies user groups from Active Directory.
        AD Group Format
        : Select whether the attribute is formatted as
        Plain Text
         or
        Regular Expression
        . These are how Enterprise IoT Security maps AD user groups to IoT Security user roles.
        Plain Text
         identifies the user group with the exact value specified in
        Attribute to get AD Groups
        . For example, if
        AD Group Format
         is
        Plain Text
         and the
        AD Group
         is
        Hospital Administrator
        , then Enterprise IoT Security maps only users in the AD group named
        Hospital Administrator
         to the specified IoT Security role.
        Regular Expression
         identifies any user group that contains the value specified in
        Attribute to get AD Groups
        . For example, if
        AD Group Format
         is
        Regular Expression
         and the
        AD Group
         is
        OUI=Hospital*
        , then Enterprise IoT Security maps users in any AD group whose organizational unit identifier (OUI) includes
        Hospital
        —such as
        OUI=Hospital Administrator
         and
        OUI=Hospital NetSec
        —to one or more specified IoT Security roles.
        AD Group
         and
        User Role
        : Enter an Active Directory group name and then choose the IoT Security user role to map it to:
        Owner
        ,
        Administrator
        , or
        Read Only
        . Click
        +
         to add more AD group-to-user role mappings. You can create up to 50 mappings. A single AD group cannot map to multiple IoT Security user roles, but multiple AD groups can map to the same IoT Security user role.
        For information about the IoT Security user roles, see User Roles for IoT Security.
      5. Save
         the SSO configuration.
      6. Test
         the SSO configuration.
        Enterprise IoT Security opens a small window to log in using the authentication system.
      7. When done with the test, click
        Confirm
        .
      8. Enable
         the SSO configuration.
      9. After enabling the configuration, the
        Enable
         button changes to
        Disable and Edit
        .

    Authenticate Users with any SSO and Manage User Roles in the Enterprise IoT Security Portal

    User roles are set for user accounts in external SSO authentication systems—the Palo Alto Network SSO and customer-managed SSOs—but you can also log in to the Enterprise IoT Security portal with owner privileges and set other roles for administrators and read-only users. If the externally and internally managed roles are different, Enterprise IoT Security assigns the higher of the two. Therefore, only set user roles internally on Enterprise IoT Security that are higher than those set externally; otherwise, an internal role will never be assigned. The ranking of roles from highest to lowest is owner, administrator, read-only user.
    If user accounts in an external SSO don't have any externally managed roles defined, these users won't be able to log in to Enterprise IoT Security until a local user with owner privileges sets internally managed roles for them and invites them to log in to Enterprise IoT Security.
    1. Invite users who have an account on an external SSO but no externally managed role to access Enterprise IoT Security.
      Skip this step if users have an externally managed role that maps to a role in IoT Security.
      1. Log in to Enterprise IoT Security as a user with owner privileges, select
        Administration
        User Accounts
         and then click the
        Invite New User
         icon (
        +
         ) above the User Accounts table.
      2. Enter an email address, choose a role (
        Owner
        ,
        Administrator
        , or
        Read only
        ), specify which sites the user can access, and then
        Invite
        .
        IoT Security automatically generates an email with a login link and sends it to the user.
        The invitation is valid for 48 hours after it's sent.
        When the email recipient clicks a link in the email, he or she is directed to the login page. The user clicks the
        Log in with <sso-name>
         button to log in through SSO. After the user logs in, Enterprise IoT Security grants him or her access with the local role you specified.
      3. If you want to invite more users, repeat the previous steps for each one.
    2. View users, their externally managed roles, role providers, and internally managed roles and which sites they can access.
      You can see a list of users and their roles on the Access Management page in the hub and, if you’re logged in with owner privileges, on the User Accounts page (
      Administration
      User Accounts
      ) in the Enterprise IoT Security portal.
      Externally Managed Role
       and
      Role Provider
      : If Enterprise IoT Security applies the user role that’s set on the external SSO authentication system, the role appears in the Externally Managed Role column and the SSO name appears in the Role Provider column. If Enterprise IoT Security has an internally managed role for a user that’s the same as or higher than his or her externally managed role, it applies the internally managed role. In this case, these two columns are empty.
      Internally Managed Role
      : This column lists user roles defined in Enterprise IoT Security. It’s only empty if there isn’t a role defined internally.
      After you create a user account in the Customer Support Portal and hub, the account won't appear on the
      Administration
      User Accounts
       page in the Enterprise IoT Security portal until the user logs in to the Enterprise IoT Security portal.
    3. Assign a user with an internally managed role.
      1. When logged in to the Enterprise IoT Security portal with owner privileges, click
        Administration
        User Accounts
         and then click an entry for an administrator or read-only user in the Email (Username) column.
        The User Role & Access dialog box opens.
      2. Choose a different role from the User Role drop-down list. When there are different externally and internally managed roles for the same user, IoT Security applies the role with higher privileges. Therefore, when setting an internal role, choose one that is higher than the one assigned by an external SSO authentication system.
    4. Determine which sites an administrator or read-only user can access.
      By default, all users have access to all sites. To give the user access to a subset of sites, click the
      x
       in the All label and then select the names of the sites or site groups to which you want to permit access.
    5. When done,
      Save
       the configuration change.
      The next time the user logs in, he or she will only have the privileges of the internally managed role and access to devices and data for the selected sites.

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.