Configure SAML Authentication for Panorama Administrators
Table of Contents
Expand all | Collapse all
-
- Determine Panorama Log Storage Requirements
-
- Setup Prerequisites for the Panorama Virtual Appliance
- Perform Initial Configuration of the Panorama Virtual Appliance
- Set Up The Panorama Virtual Appliance as a Log Collector
- Set Up the Panorama Virtual Appliance with Local Log Collector
- Set up a Panorama Virtual Appliance in Panorama Mode
- Set up a Panorama Virtual Appliance in Management Only Mode
-
- Preserve Existing Logs When Adding Storage on Panorama Virtual Appliance in Legacy Mode
- Add a Virtual Disk to Panorama on an ESXi Server
- Add a Virtual Disk to Panorama on vCloud Air
- Add a Virtual Disk to Panorama on Alibaba Cloud
- Add a Virtual Disk to Panorama on AWS
- Add a Virtual Disk to Panorama on Azure
- Add a Virtual Disk to Panorama on Google Cloud Platform
- Add a Virtual Disk to Panorama on KVM
- Add a Virtual Disk to Panorama on Hyper-V
- Add a Virtual Disk to Panorama on Oracle Cloud Infrastructure (OCI)
- Mount the Panorama ESXi Server to an NFS Datastore
-
- Increase CPUs and Memory for Panorama on an ESXi Server
- Increase CPUs and Memory for Panorama on vCloud Air
- Increase CPUs and Memory for Panorama on Alibaba Cloud
- Increase CPUs and Memory for Panorama on AWS
- Increase CPUs and Memory for Panorama on Azure
- Increase CPUs and Memory for Panorama on Google Cloud Platform
- Increase CPUs and Memory for Panorama on KVM
- Increase CPUs and Memory for Panorama on Hyper-V
- Increase the CPUs and Memory for Panorama on Oracle Cloud Infrastructure (OCI)
- Complete the Panorama Virtual Appliance Setup
-
- Convert Your Evaluation Panorama to a Production Panorama with Local Log Collector
- Convert Your Evaluation Panorama to a Production Panorama without Local Log Collector
- Convert Your Evaluation Panorama to VM-Flex Licensing with Local Log Collector
- Convert Your Evaluation Panorama to VM-Flex Licensing without Local Log Collector
- Convert Your Production Panorama to an ELA Panorama
-
- Register Panorama
- Activate a Panorama Support License
- Activate/Retrieve a Firewall Management License when the Panorama Virtual Appliance is Internet-connected
- Activate/Retrieve a Firewall Management License when the Panorama Virtual Appliance is not Internet-connected
- Activate/Retrieve a Firewall Management License on the M-Series Appliance
- Install the Panorama Device Certificate
- Install the Device Certificate for a Dedicated Log Collector
-
- Migrate from a Panorama Virtual Appliance to an M-Series Appliance
- Migrate a Panorama Virtual Appliance to a Different Hypervisor
- Migrate from an M-Series Appliance to a Panorama Virtual Appliance
- Migrate from an M-500 Appliance to an M-700 Appliance
- Migrate from an M-600 Appliance to an M-700 Appliance
- Migrate from an M-100 Appliance to an M-500 Appliance
- Migrate from an M-100 or M-500 Appliance to an M-200 or M-600 Appliance
-
- Configure an Admin Role Profile
- Configure an Admin Role Profile for Selective Push to Managed Firewalls
- Configure an Access Domain
-
- Configure a Panorama Administrator Account
- Configure Local or External Authentication for Panorama Administrators
- Configure a Panorama Administrator with Certificate-Based Authentication for the Web Interface
- Configure an Administrator with SSH Key-Based Authentication for the CLI
- Configure RADIUS Authentication for Panorama Administrators
- Configure TACACS+ Authentication for Panorama Administrators
- Configure SAML Authentication for Panorama Administrators
- Configure Tracking of Administrator Activity
-
- Add a Firewall as a Managed Device
- Change Between Panorama Management and Cloud Management
-
- Add a Device Group
- Create a Device Group Hierarchy
- Create Objects for Use in Shared or Device Group Policy
- Revert to Inherited Object Values
- Manage Unused Shared Objects
- Manage Precedence of Inherited Objects
- Move or Clone a Policy Rule or Object to a Different Device Group
- Push a Policy Rule to a Subset of Firewalls
- Device Group Push to a Multi-VSYS Firewall
- Manage the Rule Hierarchy
- Manage the Master Key from Panorama
- Schedule a Configuration Push to Managed Firewalls
- Redistribute Data to Managed Firewalls
-
- Plan the Transition to Panorama Management
- Migrate a Firewall to Panorama Management and Reuse Existing Configuration
- Migrate a Firewall to Panorama Management and Push a New Configuration
- Migrate a Firewall HA Pair to Panorama Management and Reuse Existing Configuration
- Migrate a Firewall HA Pair to Panorama Management and Push a New Configuration
- Load a Partial Firewall Configuration into Panorama
- Localize a Panorama Pushed Configuration on a Managed Firewall
-
- Configure a Managed Collector
- Monitor Managed Collector Health Status
- Configure Log Forwarding to Panorama
- Configure Syslog Forwarding to External Destinations
- Forward Logs to Strata Logging Service
- Verify Log Forwarding to Panorama
- Modify Log Forwarding and Buffering Defaults
- Configure Log Forwarding from Panorama to External Destinations
-
- Add Standalone WildFire Appliances to Manage with Panorama
- Remove a WildFire Appliance from Panorama Management
-
-
- Configure a Cluster and Add Nodes on Panorama
- Configure General Cluster Settings on Panorama
- Remove a Cluster from Panorama Management
- Configure Appliance-to-Appliance Encryption Using Predefined Certificates Centrally on Panorama
- Configure Appliance-to-Appliance Encryption Using Custom Certificates Centrally on Panorama
- View WildFire Cluster Status Using Panorama
-
-
- Preview, Validate, or Commit Configuration Changes
- Commit Selective Configuration Changes for Managed Devices
- Push Selective Configuration Changes to Managed Devices
- Enable Automated Commit Recovery
- Compare Changes in Panorama Configurations
- Manage Locks for Restricting Configuration Changes
- Add Custom Logos to Panorama
- Use the Panorama Task Manager
- Reboot or Shut Down Panorama
- Configure Panorama Password Profiles and Complexity
-
-
- Verify Panorama Port Usage
- Resolve Zero Log Storage for a Collector Group
- Replace a Failed Disk on an M-Series Appliance
- Replace the Virtual Disk on an ESXi Server
- Replace the Virtual Disk on vCloud Air
- Migrate Logs to a New M-Series Appliance in Log Collector Mode
- Migrate Logs to a New M-Series Appliance in Panorama Mode
- Migrate Logs to a New M-Series Appliance Model in Panorama Mode in High Availability
- Migrate Logs to the Same M-Series Appliance Model in Panorama Mode in High Availability
- Migrate Log Collectors after Failure/RMA of Non-HA Panorama
- Regenerate Metadata for M-Series Appliance RAID Pairs
- View Log Query Jobs
- Troubleshoot Registration or Serial Number Errors
- Troubleshoot Reporting Errors
- Troubleshoot Device Management License Errors
- Troubleshoot Automatically Reverted Firewall Configurations
- View Task Success or Failure Status
- Generate a Stats Dump File for a Managed Firewall
- Recover Managed Device Connectivity to Panorama
- Restore an Expired Device Certificate
Configure SAML Authentication for Panorama Administrators
You can use Security Assertion Markup Language (SAML) 2.0 for
administrative access to the Panorama web interface (but not the
CLI). You can also use SAML attributes to manage administrator authorization.
SAML attributes enable you to quickly change the roles, access domains,
and user groups of administrators through your directory service
instead of reconfiguring settings on Panorama.
To configure
SAML single sign-on (SSO) and single logout (SLO), you must register
Panorama and the identity provider (IdP) with each other to enable
communication between them. If the IdP provides a metadata file containing
registration information, you can import it onto Panorama to register
the IdP and to create an IdP server profile. The server profile
defines how to connect to the IdP and specifies the certificate
that the IdP uses to sign SAML messages. You can also use a certificate
for Panorama to sign SAML messages. Using certificates is optional
but recommended to secure communications between Panorama and the
IdP.
- (Recommended) Obtain the certificates that the IdP and Panorama will use to sign SAML messages.If the certificates don’t specify key usage attributes, all usages are allowed by default, including signing messages. In this case, you can obtain certificates by any method.If the certificates do specify key usage attributes, one of the attributes must be Digital Signature, which is not available on certificates that you generate on Panorama. In this case, you must import the certificates:
- Certificate Panorama uses to sign SAML messages—Import the certificate from your enterprise certificate authority (CA) or a third-party CA.
- Certificate the IdP uses to sign SAML messages—Import
a metadata file containing the certificate from the IdP (see the
next step). The IdP certificate is limited to the following algorithms:
- Public key algorithms—RSA (1,024 bits or larger) and ECDSA (all sizes).
- Signature algorithms—SHA1, SHA256, SHA384, and SHA512.
Add a SAML IdP server profile.The server profile registers the IdP with Panorama and defines how they connect.In this example, you import a SAML metadata file from the IdP so that Panorama can automatically create a server profile and populate the connection, registration, and IdP certificate information.If the IdP doesn’t provide a metadata file, select PanoramaServer ProfilesSAML Identity Provider, Add the server profile, and manually enter the information (consult your IdP administrator for the values).- Export the SAML metadata file from the IdP to a client system that Panorama can access.The certificate specified in the file must meet the requirements listed in the preceding step. Refer to your IdP documentation for instructions on exporting the file.Select PanoramaServer ProfilesSAML Identity Provider and Import the metadata file onto Panorama.Enter a Profile Name to identify the server profile.Browse to the Identity Provider Metadata file.(Recommended) Select Validate Identity Provider Certificate (default) to have Panorama validate the Identity Provider Certificate.Validation occurs only after you assign the server profile to an authentication profile and Commit. Panorama uses the Certificate Profile in the authentication profile to validate the certificate.Validating the certificate is a best practice for improved security.Enter the Maximum Clock Skew, which is the allowed difference in seconds between the system times of the IdP and Panorama at the moment when Panorama validates IdP messages (default is 60; range is 1 to 900). If the difference exceeds this value, authentication fails.Click OK to save the server profile.Click the server profile Name to display the profile settings. Verify that the imported information is correct and edit it if necessary.Configure an authentication profile.The authentication profile specifies a SAML IdP server profile and defines options for the authentication process, such as SLO.
- Select PanoramaAuthentication Profile and Add a profile.Enter a Name to identify the profile.Set the Type to SAML.Select the IdP Server Profile you configured.Select the Certificate for Signing Requests.Panorama uses this certificate to sign messages it sends to the IdP.(Optional) Enable Single Logout (disabled by default).Select the Certificate Profile that Panorama will use to validate the Identity Provider Certificate.Enter the Username Attribute that IdP messages use to identify users (default username).When you predefine dynamic administrator roles for users, use lower-case to specify the role (for example, enter superuser, not SuperUser). If you manage administrator authorization through the IdP identity store, specify the Admin Role Attribute and Access Domain Attribute also.Select Advanced and Add the administrators who are allowed to authenticate with this authentication profile.Click OK to save the authentication profile.Configure Panorama to use the authentication profile for all administrators.
- Select PanoramaSetupManagement, edit the Authentication Settings, and select the Authentication Profile you configured.Select CommitCommit to Panorama to activate your changes on Panorama and to validate the Identity Provider Certificate that you assigned to the SAML IdP server profile.Create a SAML metadata file to register Panorama on the IdP.
- Select PanoramaAuthentication Profile and, in the Authentication column for the authentication profile you configured, click Metadata.Set the Management Choice to Interface (default is selected) and select the management (MGT) interface.Click OK and save the metadata file to your client system.Import the metadata file into the IdP server to register Panorama. Refer to your IdP documentation for instructions.Verify that administrators can authenticate using SAML SSO.
- Go to the URL of the Panorama web interface.Click Use Single Sign-On.Click Continue.Panorama redirects you to authenticate to the IdP, which displays a login page. For example:Log in using your SSO username and password.After you successfully authenticate on the IdP, it redirects you back to Panorama, which displays the web interface.Use your Panorama administrator account to request access to another SSO application.Successful access indicates SAML SSO authentication succeeded.