On-Premises Controller for Prisma SD-WAN supports SAML-based authentication to users
using the Operator’s console. When a non-local user tries to log in to the
Operator’s console, the user is directed to an Identity Provider (IdP) such as
Okta/Ping, where the IdP authenticates the user and then redirects the user to the
Operator’s console login page. After the redirect, the user can log in using the
provided email ID to access the console. After a non-local user logs in, the user is
auto-populated in User Management as a non-local user.
To initiate metadata exchange between controller and IdP:
On the Operator’s console, navigate to
Configuration
SAML Configuration
.
On the
SAML SP Settings
,
Download
the metadata.
The SP metadata is loaded automatically after a successful installation.
Now, to import the SP settings in the IdP (Okta/Ping/..) navigate to IdP, and
create a SAML SSO application with the SP metadata.
Import
the SP metadata in IdP.
Save
your changes.
Download
the SAML configuration.
Go to
SAML IDP Settings
and import the downloaded SP
metadata.
In the
Attributes
mappings, the format of the attribute
should be in an email format:
saml_subject:
User ID/Email Address
opsui_role:
Group Names or First Name of the
user, configure an additional mandatory attribute opsui_role and the
value should be group or user name where the user belongs to the admin
role.
The IdP configuration maps users belonging to specific user groups to provide
access.
Save
your changes
After a non-local user logs in, the user is auto-populated in
User
Management
as a non-local user.
If a non-local user tries to log in to the Operator’s console, s/he
will be directed to the IdP, where the IdP authenticates the user and then
redirects the user to the Operator’s console login page. The user can log in
using the email ID to access the on-premises controller.