Create IoT Security Users
Table of Contents
Expand all | Collapse all
-
- Firewall and PAN-OS Support of IoT Security
- IoT Security Prerequisites
- Onboard IoT Security
- Onboard IoT Security on VM-Series with Software NGFW Credits
-
- DHCP Data Collection by Traffic Type
- Firewall Deployment Options for IoT Security
- Configure a Pre-PAN-OS 10.0 Firewall with a DHCP Server
- Configure a Pre-PAN-OS 10.0 Firewall for a Local DHCP Server
- Use a Tap Interface for DHCP Visibility
- Use a Virtual Wire Interface for DHCP Visibility
- Use SNMP Network Discovery to Learn about Devices from Switches
- Use ERSPAN to Send Mirrored Traffic through GRE Tunnels
- Use DHCP Server Logs to Increase Device Visibility
- Plan for Scaling when Your Firewall Serves DHCP
- Prepare Your Firewall for IoT Security
- Configure Policies for Log Forwarding
- Control Allowed Traffic for Onboarding Devices
- Support Isolated Network Segments
- IoT Security Integration with Prisma Access
- IoT Security Licenses
- Offboard IoT Security Subscriptions
-
- Introduction to IoT Security
- IoT Security Integration with Next-generation Firewalls
- IoT Security Portal
- Vertical-themed Portals
- Device-to-Site Mapping
- Sites and Site Groups
- Networks
- Reports
- IoT Security Integration Status with Firewalls
- IoT Security Integration Status with Prisma Access
- Data Quality Diagnostics
- Authorize On-demand PCAP
- IoT Security Integrations with Third-party Products
- IoT Security and FedRAMP
Create IoT Security Users
IoT Security
UsersCreate
IoT Security
users, assign user roles, and view users in the IoT Security
portal.When users log in to the
IoT Security
portal using single sign-on (SSO), they go
through a two-step process. In step 1, an SSO identity provider (IdP) authenticates
users by verifying their credentials. In step 2, users are authorized and provided
with a role to access IoT Security
.When users log in to the
IoT Security
portal using Palo Alto Networks SSO, their
credentials are verified against user accounts in the Customer Service Portal (CSP).
Then their user role is assigned according to the Identity & Access section of
the hub. User roles determine what they can see and do in the portal. These user
roles are referred to as “externally managed user roles” in contrast to “internally
managed user roles”, which are assigned in the IoT Security
portal and are described
in a later section.In addition,
IoT Security
also provides an option to verify users against an Active
Directory (AD) authentication system through SSO. In this case, user accounts are in
Active Directory, which verifies user credentials on behalf of IoT Security
. You can
manage the role of a given user in two different ways, similar to the Palo Alto
Networks SSO: (1) managed internally by IoT Security
or (2) managed externally by
Active Directory.External roles are managed in the AD instead of the hub as done in the Palo Alto
Networks SSO option.
Because the user role can be managed in two different places, when users log in
through an SSO,
IoT Security
might find their external roles are different from
their internal roles. In such cases, whichever role is higher takes precedence.Authenticate Users with the Palo Alto Networks SSO and Manage User Roles in the
Hub
IoT Security
supports role-based access control (RBAC) through App
Administrator, Instance Administrator, Owner, Administrator, and Read-only
roles. Creating users for the IoT Security
application involves three steps:- Create a user account in the Customer Support Portal
- Assign a user role in the hub
- (For Administrator and Read-only users) Allow access to all sites or a subset of sites
- Log in to the Customer Support Portal with superuser permissions, which allow you to create new user accounts.
- Click, enter the required information, and thenMembersCreate New UserSubmit.A new user account is created and added to the account as a member. An email notification is sent to the new user with login credentials.
- Log in to the hub.
- Click the gear icon in the upper right of the hub landing page and thenAccess Management.
- Expand theIoT Securitysection in the left panel, select theIoT Securityinstance to which you want to assign the user, select the check box for the user account you just created, and thenAssign Roles.
- SelectIoT Securityin the left panel to display theIoT Securityrole assignment window in the main panel.
- Choose one of the following roles from the Role drop-down list:App AdministratorInstance AdministratorOwnerAdministratorRead only
- For information about these user roles, clickRole Definitions.To learn more about the App Administrator and Instance Administrator roles, which are common roles for all Palo Alto Networks apps and provide the same privileges inIoT Securityas Owner, see Available Roles. To learn more about the Owner, Administrator, and Read only roles, which are specific toIoT Security, see User Roles for IoT Security.
Authenticate Users with an Active Directory SSO and Manage User Roles in Active
Directory
- Prepare the authentication system.Before you configureIoT Security, prepare your Active Directory to communicate with it and export the identity provider (IdP) metadata file thatIoT Securitywill need to communicate with the IdP.
- Configure your IdP with the following URLs, replacing thetenant-idvariable with your own tenant ID, which is the first part of yourIoT Securityportal URL:https://tenant-id.iot.paloaltonetworks.com/loginDepending on how you configure your IdP, either point it to theIoT Securitymetadata URL to retrieve all the necessary data or enter the information separately.
- Assertion Consumer Service (ACS)– This is the destination to which the IdP sends authentication assertions in response to user authentication requests.https://tenant-id.iot.paloaltonetworks.com/v0.3/zauth/saml2_sso/acs
- Entity ID– This is the URL that uniquely identifies the Zingbox SP.https://tenant-id.iot.paloaltonetworks.com/v0.3/zauth/saml2_sso/metadata
- Palo Alto Networks Metadata– This file includes the ACS URL and entity ID plus other parameters such as its public Security Assertion Markup Language (SAML) 2.0 encryption key.https://tenant-id.iot.paloaltonetworks.com/v0.3/zauth/saml2_sso/metadata
To see the URLs with your specific tenant ID, follow steps 1-2 in the next section and then copy the URLs in the Service Provider (SP) Configuration Details section. - Either copy and save the URL whereIoT Securitycan import the IdP metadata file from your SSO authentication system or download the file and save it in XML format. You will later import it to theIoT Securityportal.
- PrepareIoT Securityto use an externally managed SSO.
- Log in to theIoT Securityportal as an owner, navigate to, and thenAdministrationUser AccountsManage SSO.Palo Alto Networks is the default SSO identity provider (IdP) that authenticates users accessing theIoT Securityportal and assigns user roles to them.
- To add a user-configured SSO,Add New SSO, and then enter the following in the Single Sign-on Configuration dialog box that appears:Name: Enter a name for the SSO. It can be up to 16 characters. This name will appear on the login page as shown in the Preview below.Logo (Optional): Upload an image file to display next to the SSO name on the login page as shown in the Preview. The image file can be up to 2 MB and must be in .bmp, .jpg, or .png format.IdP Metadata: Either enter the URL of the IdP metadata file you copied and saved earlier or clickChoose file, navigate to the XML file you exported from your authentication system, and select it.
- Validate the IdP metadata URL or uploaded file.Validating the IdP metadata URL activates theSaveandTestbuttons.
- Configure the following settings to identify AD user groups whose users you want Active Directory to authorize. If you leave them empty,IoT Securityauthorizes them locally.Attribute to get AD Groups: Enter the attribute in the SAML 2.0 response that identifies user groups from Active Directory.AD Group Format: Select whether the attribute is formatted asPlain TextorRegular Expression. These are howIoT Securitymaps AD user groups toIoT Securityuser roles.Plain Textidentifies the user group with the exact value specified inAttribute to get AD Groups. For example, ifAD Group FormatisPlain Textand theAD Groupis, thenHospital AdministratorIoT Securitymaps only users in the AD group namedto the specifiedHospital AdministratorIoT Securityrole.Regular Expressionidentifies any user group that contains the value specified inAttribute to get AD Groups. For example, ifAD Group FormatisRegular Expressionand theAD Groupis, thenOUI=Hospital*IoT Securitymaps users in any AD group whose organizational unit identifier (OUI) includes—such asHospitalandOUI=Hospital Administrator—to one or more specifiedOUI=Hospital NetSecIoT Securityroles.AD GroupandUser Role: Enter an Active Directory group name and then choose theIoT Securityuser role to map it to:Owner,Administrator, orRead Only. Click+to add more AD group-to-user role mappings. You can create up to 50 mappings. A single AD group cannot map to multipleIoT Securityuser roles, but multiple AD groups can map to the sameIoT Securityuser role.For information about theIoT Securityuser roles, see User Roles for IoT Security.
- Savethe SSO configuration.
- Testthe SSO configuration.IoT Securityopens a small window to log in using the authentication system.
- When done with the test, clickConfirm.
- Enablethe SSO configuration.
- After enabling the configuration, theEnablebutton changes toDisable and Edit.
Authenticate Users with any SSO and Manage User Roles in the IoT Security
Portal
IoT Security
PortalUser roles are set for user accounts in external SSO authentication systems—the
Palo Alto Network SSO and customer-managed SSOs—but you can also log in to the
IoT Security
portal with owner privileges and set other roles for administrators
and read-only users. If the externally and internally managed roles are
different, IoT Security
assigns the higher of the two. Therefore, only set user
roles internally on IoT Security
that are higher than those set externally;
otherwise, an internal role will never be assigned. The ranking of roles from
highest to lowest is owner, administrator, read-only user.If user accounts in an external SSO don't have any externally managed roles
defined, these users won't be able to log in to
IoT Security
until a local user
with owner privileges sets internally managed roles for them and invites them to
log in to IoT Security
.- Invite users who have an account on an external SSO but no externally managed role to accessIoT Security.Skip this step if users have an externally managed role that maps to a role inIoT Security.
- Log in toIoT Securityas a user with owner privileges, selectand then click theAdministrationUser AccountsInvite New Usericon (+) above the User Accounts table.
- Enter an email address, choose a role (Owner,Administrator, orRead only), specify which sites the user can access, and thenInvite.IoT Securityautomatically generates an email with a login link and sends it to the user.The invitation is valid for 48 hours after it's sent.When the email recipient clicks a link in the email, he or she is directed to the login page. The user clicks theLog in with <sso-name>button to log in through SSO. After the user logs in,IoT Securitygrants him or her access with the local role you specified.
- If you want to invite more users, repeat the previous steps for each one.
- View users, their externally managed roles, role providers, and internally managed roles and which sites they can access.You can see a list of users and their roles on the Access Management page in the hub and, if you’re logged in with owner privileges, on the User Accounts page () in theAdministrationUser AccountsIoT Securityportal.Externally Managed RoleandRole Provider: IfIoT Securityapplies the user role that’s set on the external SSO authentication system, the role appears in the Externally Managed Role column and the SSO name appears in the Role Provider column. IfIoT Securityhas an internally managed role for a user that’s the same as or higher than his or her externally managed role, it applies the internally managed role. In this case, these two columns are empty.Internally Managed Role: This column lists user roles defined inIoT Security. It’s only empty if there isn’t a role defined internally.After you create a user account in the Customer Support Portal and hub, the account won't appear on thepage in theAdministrationUser AccountsIoT Securityportal until the user logs in to theIoT Securityportal.
- Assign a user with an internally managed role.
- When logged in to theIoT Securityportal with owner privileges, clickand then click an entry for an administrator or read-only user in the Email (Username) column.AdministrationUser AccountsThe User Role & Access dialog box opens.
- Choose a different role from the User Role drop-down list. When there are different externally and internally managed roles for the same user,IoT Securityapplies the role with higher privileges. Therefore, when setting an internal role, choose one that is higher than the one assigned by an external SSO authentication system.
- Determine which sites an administrator or read-only user can access.By default, all users have access to all sites. To give the user access to a subset of sites, click thexin the All label and then select the names of the sites or site groups to which you want to permit access.For information about site groups and how to use them to control what data users can access, see Sites and Site Groups.
- When done,Savethe configuration change.The next time the user logs in, he or she will only have the privileges of the internally managed role and access to devices and data for the selected sites.