Set Up SAML Authentication
Security Assertion Markup Language (SAML) is an XML-based, open-standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider (IdP) and a service provider. SAML is a product of the OASIS Security Services Technical Committee.
a server profile.The server profile identifies the external authentication service and instructs the firewall how to connect to that authentication service and access the authentication credentials for your users.
- Select DeviceServer Profiles and select the SAML Identity Provider profile.
- Click Add and enter a Profile Name, such as GP-User-Auth.
- If this profile is for a firewall with multiple virtual systems capability, select a virtual system or Shared as the Location where the profile is available.
- Import the IdP metadata file.
Refer to SAML 2.0 Authentication for
details.Alternatively, if the IdP doesn’t provide a metadata file, Add the server profile and then enter the connection and registration information.
- Click OK to save the server profile.
- (Optional) Create an authentication profile.The authentication profile specifies the server profile for the portal or gateways to use when they authenticate users. On a portal or gateway, you can assign one or more authentication profiles in one or more client authentication profiles. For descriptions of how an authentication profile within a client authentication profile supports granular user authentication, see Configure a GlobalProtect Gateway and Set Up Access to the GlobalProtect Portal.SAML authentication does not support the pre-logon connect method that enables users to connect and change their own expired passwords without administrative intervention (Remote Access VPN with Pre-Logon).
- Select DeviceAuthentication Profile and Add a new profile.
- Enter a Name for the profile and then select SAML as the authentication Type.
- Select the SAML authentication Server Profile that you created in 1 from the drop-down.
- Select the following to configure certificate authentication
between the firewall and the SAML identity provider. Refer to SAML 2.0 Authentication for
- The Request Signing Certificate that the firewall uses to sign messages it sends to the IdP.
- The Certificate Profile that the firewall uses to validate the Identity Provider Certificate.
- Specify the username and admin role formats.
Unlike other types of external authentication, there is no User Domain attribute in the authentication profiles for SAML.
- Specify the Username Attribute and User Group Attribute.
- (Optional) If you will use this profile to authenticate administrative accounts that you manage in the IdP identity store, specify the Admin Role Attribute and Access Domain Attribute also.
- Select the Advanced tab.
- In the Allow List, Add and
then select the users and groups that are allowed to authenticate
with this profile. Selecting the predefined all option
allows every user to authenticate. By default, the list has no entries,
which means no users can authenticate.Make sure the username in the Allow List matches the username returned from the SAML IdP server.
- Click OK.
- Commit the configuration.Click Commit.
Configure SAML Authentication for Panorama Administrators
Configure SAML Authentication for Panorama Administrators You can use Security Assertion Markup Language (SAML) 2.0 for administrative access to the Panorama web interface (but not ...
Configure SAML 2.0 Authentication (API)
Configure SAML 2.0 Authentication (API) Use the PAN-OS XML API to automate the configuration of SAML 2.0 single sign-on (SSO) and single logout (SLO). To ...
Configure an Authentication Profile
Authentication Profile Device > Authentication Profile Select Device Authentication Profile or Panorama Authentication Profile to manage authentication profiles. To create a new profile, Add one ...
SAML 2.0 Authentication for GlobalProtect
SAML 2.0 Authentication for GlobalProtect GlobalProtect portals, gateways, and clients now support SAML 2.0 Authentication . If you have chosen SAML as your authentication standard, ...
Configure SAML Authentication
Configure SAML Authentication To configure SAML single sign-on (SSO) and single logout (SLO), you must register the firewall and the IdP with each other to ...
SAML 2.0 Authentication
SAML 2.0 Authentication You can now use Security Assertion Markup Language ( SAML ) 2.0 to authenticate administrators who access the firewall or Panorama web ...
SAML 2.0 Authentication using API
SAML 2.0 Authentication using API You can now automate the configuration of SAML 2.0 Authentication single sign-on (SSO) and single logout (SLO) using the PAN-OS ...
Device > Server Profiles > SAML Identity Provider
Device > Server Profiles > SAML Identity Provider Use this page to register a Security Assertion Markup Language (SAML) 2.0 identity provider (IdP) with the ...
Export SAML Meta data from an Authentication Profile
SAML Metadata Export from an Authentication Profile Device > Authentication Profile The firewall and Panorama can use a SAML identity provider (IdP) to authenticateusers who ...