SAML 2.0 Authentication
You can now use Security Assertion Markup Language (SAML) 2.0 to authenticate administrators who access the firewall or Panorama web interface and end users who access services or applications. In environments where each user accesses many services or applications and authenticating for each one would impede user productivity, you can configure SAML single sign-on (SSO) to enable one login to access multiple services and applications. Likewise, SAML single logout (SLO) enables a user to end sessions for multiple services and applications by logging out of just one session. You can use SAML authentication for services and applications that are external or internal to your organization.
SSO is available to administrators and to GlobalProtect and Captive Portal end users. SLO is available to administrators and GlobalProtect end users, but not to Captive Portal end users.
Administrators can use SAML to authenticate to the firewall or Panorama web interface, but not to the CLI.
SAML authentication requires a service provider (the firewall or Panorama), which controls access to services or applications, and an identity provider (IdP) such as PingFederate, which authenticates users. To configure SAML authentication, you must register the firewall or Panorama and the IdP with each other to enable communication between them. If the IdP provides a metadata file containing registration information, you can import it onto the firewall or Panorama to register the IdP and to create an IdP server profile. The server profile specifies the certificate that the IdP uses to sign SAML messages. You can also import a certificate for the firewall or Panorama to sign SAML messages. Using certificates is optional but recommended to secure communications between the firewall or Panorama and the IdP.
- (Recommended) Obtain the certificate
that the firewall will use to sign SAML messages that it sends to
the IdP.If the certificate doesn’t specify key usage attributes, all usages are allowed by default, including signing messages. In this case, you can obtain the certificates by any method.If the certificate does specify key usage attributes, one of the attributes must be Digital Signature, which is not available on certificates that you generate on the firewall or Panorama. In this case, you must import the certificate from your enterprise certificate authority (CA) or a third-party CA.
- Select DeviceServer
ProfilesSAML Identity Provider and Import the
metadata file that your IdP provided.When you import the metadata file, the firewall automatically creates a server profile and populates the connection, registration, and certificate information. The IdP uses the certificate to sign SAML messages that it sends to the firewall. You must manually configure the other server profile settings.
- Select DeviceAuthentication Profile and Add an authentication profile to define authentication settings such as SAML SLO. Select the IdP Server Profile you configured and select the Certificate for Signing Requests. The firewall uses this certificate to sign SAML messages that it sends to the IdP.
- Assign the authentication profile to firewall applications
that require authentication.
- Administrator accounts that you manage locally on the firewall. In this example, create a local administrator before you verify the SAML configuration later in this procedure.
- Administrator accounts that you manage externally in the IdP identity store. Select DeviceSetupManagement, edit the Authentication Settings, and select the Authentication Profile.
- Authentication policy rules that secure the services and applications that Captive Portal end users access.
- GlobalProtect portals and gateways that end users access.
- Commit your changes.The firewall validates the Identity Provider Certificate that you assigned to the SAML IdP server profile.
- Create a metadata file that you can use to register the
firewall application with the IdP—Select DeviceAuthentication Profile and
click Metadata in the row of the authentication
profile you configured.Refer to your IdP documentation for the steps to import the metadata file onto the IdP server and register the firewall application.
- Verify that users can authenticate using SAML—As the administrator you created locally on the firewall, log in to the firewall web interface using the Use Single Sign-On option. After authenticating through the IdP, use the same administrator account to access another SSO application. If you can access the application without authenticating again (assuming Security policy allows access to that application), SSO authentication succeeded.
Configure SAML 2.0 Authentication (API)
Configure SAML 2.0 Authentication (API) Use the PAN-OS XML API to automate the configuration of SAML 2.0 single sign-on (SSO) and single logout (SLO). To ...
Configure SAML Authentication
Configure SAML Authentication To configure SAML single sign-on (SSO) and single logout (SLO), you must register the firewall and the IdP with each other to ...
Configure SAML Authentication for Panorama Administrators
Configure SAML Authentication for Panorama Administrators You can use Security Assertion Markup Language (SAML) 2.0 for administrative access to the Panorama web interface (but not ...
Device > Server Profiles > SAML Identity Provider
Device > Server Profiles > SAML Identity Provider Use this page to register a Security Assertion Markup Language (SAML) 2.0 identity provider (IdP) with the ...
Set Up SAML Authentication
Set Up SAML Authentication Security Assertion Markup Language (SAML) is an XML-based, open-standard data format for exchanging authentication and authorization data between parties, in particular, ...
SAML 2.0 Authentication using API
SAML 2.0 Authentication using API You can now automate the configuration of SAML 2.0 Authentication single sign-on (SSO) and single logout (SLO) using the PAN-OS ...
Configure an Authentication Profile
Authentication Profile Device > Authentication Profile Select Device Authentication Profile or Panorama Authentication Profile to manage authentication profiles. To create a new profile, Add one ...
Export SAML Meta data from an Authentication Profile
SAML Metadata Export from an Authentication Profile Device > Authentication Profile The firewall and Panorama can use a SAML identity provider (IdP) to authenticateusers who ...
Device > Authentication Profile
Device > Authentication Profile Use this page to configure settings for authenticating administrators and end users. The firewall and Panorama support local, RADIUS, TACACS+, LDAP, ...