An authentication profile defines the authentication
service that validates the login credentials of administrators when
they access Panorama. The service can be local authentication or an external authentication service. Some
services (SAML, TACACS+, and RADIUS) provide the option to manage both
authentication and authorization for administrative accounts on
the external server instead of on Panorama. In addition to the authentication
service, the authentication profile defines options such as Kerberos
single sign-on (SSO) and SAML single logout (SSO).
Some networks have multiple databases (such as TACACS+ and LDAP)
for different users and user groups. To authenticate administrators in
such cases, configure an authentication sequence—a
ranked order of authentication profiles that Panorama matches an
administrator against during login. Panorama checks against each
profile in sequence until one successfully authenticates the administrator.
An administrator is denied access only if authentication fails for
all the profiles in the sequence.