SAML Metadata Export from an Authentication Profile
- Device > Authentication Profile
The firewall and Panorama can use a SAML identity provider (IdP) to authenticate users who request services. For administrators, the service can be access to the web interface. For end users, the service can be Captive Portal or GlobalProtect, which enable access to your network resources. To enable SAML authentication for a service, you must register that service by entering specific information about it on the IdP in the form of SAML metadata. The firewall and Panorama simplify registration by automatically generating a SAML metadata file based on the authentication profile that you assigned to the service and you can export this metadata file to the IdP. Exporting the metadata is an easier alternative to typing the values for each metadata field in the IdP.
Some of the metadata in the exported file derives from the SAML IdP server profile assigned to the authentication profile (Device > Server Profiles > SAML Identity Provider). However, the exported file always specifies POST as the HTTP binding method, regardless of the method specified in the SAML IdP server profile. The IdP will use the POST method to send SAML messages to the firewall or Panorama.
To export SAML metadata from an authentication profile, click the SAML
Metadatalink in the Authentication column and complete the following fields. To import the metadata file into an IdP, refer to your IdP documentation.
SAML Metadata Export Settings
Select the service for which you want to export SAML metadata:
Your selection determines which other fields the dialog displays.
[Management | Captive Portal | GlobalProtect] Auth Profile
Enter the name of the authentication profile from which you are exporting metadata. The default value is the profile from which you opened the dialog by clicking the
Select an option for specifying an interface that is enabled for management traffic (such as the MGT interface):
[Captive Portal | GlobalProtect] Virtual System
Captive Portal or GlobalProtect only)
Select the virtual system for which the Captive Portal settings or GlobalProtect portal are defined.
Captive Portal or GlobalProtect only)
Enter the IP address or hostname of the service.
If you enter a hostname, the DNS server must have an address (A) record that maps to the IP address.
Configure SAML Authentication
Configure SAML Authentication To configure SAML single sign-on (SSO) and single logout (SLO), you must register the firewall and the IdP with each other to ...
Configure SAML Authentication for Panorama Administrators
Configure SAML Authentication for Panorama Administrators You can use Security Assertion Markup Language (SAML) 2.0 for administrative access to the Panorama web interface (but not ...
Device > Server Profiles > SAML Identity Provider
Device > Server Profiles > SAML Identity Provider Use this page to register a Security Assertion Markup Language (SAML) 2.0 identity provider (IdP) with the ...
Device > Authentication Profile
Device > Authentication Profile Use this page to configure settings for authenticating administrators and end users. The firewall and Panorama support local, RADIUS, TACACS+, LDAP, ...
Set Up SAML Authentication
Set Up SAML Authentication Security Assertion Markup Language (SAML) is an XML-based, open-standard data format used to exchange authentication and authorization data between parties, specifically ...
Configure an Authentication Profile
Authentication Profile Device > Authentication Profile Select Device Authentication Profile or Panorama Authentication Profile to manage authentication profiles. To create a new profile, Add one ...
Configure SAML 2.0 Authentication (API)
Configure SAML 2.0 Authentication (API) Use the PAN-OS XML API to automate the configuration of SAML 2.0 single sign-on (SSO) and single logout (SLO). To ...
SAML You can use Security Assertion Markup Language (SAML) 2.0 to authenticate administrators who access the firewall or Panorama web interface and end users who ...
Configure Captive Portal
Configure Captive Portal The following procedure shows how to set up Captive Portal authentication by configuring the PAN-OS integrated User-ID agent to redirect web requests ...