SAML Metadata Export from an Authentication Profile

  • Device > Authentication Profile
The firewall and Panorama can use a SAML identity provider (IdP) to authenticate users who request services. For administrators, the service can be access to the web interface. For end users, the service can be Captive Portal or GlobalProtect, which enable access to your network resources. To enable SAML authentication for a service, you must register that service by entering specific information about it on the IdP in the form of SAML metadata. The firewall and Panorama simplify registration by automatically generating a SAML metadata file based on the authentication profile that you assigned to the service and you can export this metadata file to the IdP. Exporting the metadata is an easier alternative to typing the values for each metadata field in the IdP.
Some of the metadata in the exported file derives from the SAML IdP server profile assigned to the authentication profile (Device > Server Profiles > SAML Identity Provider). However, the exported file always specifies POST as the HTTP binding method, regardless of the method specified in the SAML IdP server profile. The IdP will use the POST method to send SAML messages to the firewall or Panorama.
To export SAML metadata from an authentication profile, click the SAML
Metadata
link in the Authentication column and complete the following fields. To import the metadata file into an IdP, refer to your IdP documentation.
SAML Metadata Export Settings
Description
Commands
Select the service for which you want to export SAML metadata:
  • management
    (default)—Provides administrator access to the web interface.
  • captive-portal
    —Provides end user access to network resources through Captive Portal.
  • global-protect
    —Provides end user access to network resources through GlobalProtect.
Your selection determines which other fields the dialog displays.
[Management | Captive Portal | GlobalProtect] Auth Profile
Enter the name of the authentication profile from which you are exporting metadata. The default value is the profile from which you opened the dialog by clicking the
Metadata
link.
Management Choice
(
Management only
)
Select an option for specifying an interface that is enabled for management traffic (such as the MGT interface):
  • Interface
    —Select the interface from the list of interfaces on the firewall.
  • IP Hostname
    —Enter the IP address or hostname of the interface. If you enter a hostname, the DNS server must have an address (A) record that maps to the IP address.
[Captive Portal | GlobalProtect] Virtual System
(
Captive Portal or GlobalProtect only
)
Select the virtual system for which the Captive Portal settings or GlobalProtect portal are defined.
IP Hostname
(
Captive Portal or GlobalProtect only
)
Enter the IP address or hostname of the service.
  • Captive Portal
    —Enter the
    Redirect Host
    IP address or hostname (
    Device
    User Identification
    Captive Portal Settings
    ).
  • GlobalProtect
    —Enter the
    Hostname
    or
    IP Address
    of the GlobalProtect portal.
If you enter a hostname, the DNS server must have an address (A) record that maps to the IP address.

Related Documentation