Configure ADFS as a SAML Provider for Mobile Users (Strata Cloud Manager)

1. Enable Mobile Users to Authenticate to Prisma Access.

   Complete the steps for defining the Service Provider (SP) settings, including generating or importing the certificate that Prisma Access uses to sign SAML messages that it sends to the identity provider (IdP).
2. Export the Prisma Access signing certificate so that you can import it onto your IdP.

3. Add each Prisma Access portal and gateway as a Relying Party Trust to the Windows server.

   1. On the server running AD FS, start AD FS Management.
   2. In the Navigation Pane, expand Trust Relationships, and then select Relying Party Trusts.
   3. On the Actions menu located in the right column, select Add Relying Party Trust.
   4. In the Add Relying Party Trust Wizard page, select Claims aware and click Start.

   5. In the Select Data Source page, select Enter data about the relying party manually and click Next.

   6. In the Specify Display Name page, enter the name for the first relying party (one of the IP addresses in the list of security processing nodes you exported from Prisma Access) and click Next.

      This example specifies one of the security processing nodes from Prisma Access as a relying party.

   7. In the Configure URL page, enter the SAML single sign-on URL you configured for Prisma Access and then click Next.

      The URL is in the format https://<prisma-access-hostname>:433/SAML20/SP/ACS, where <prisma-access-hostname> is the name of the Prisma Access gateway you are configuring as a relying party trust.

   8. In the Configure Identifiers page, enter the relying party trust identifier for Prisma Access and then click Next.

      The relying party trust identifier URL is in the format https://<prisma-access-hostname>:443/SAML20/SP, where <prisma-access-hostname> is the name of the Prisma Access security processing node you are configuring as a relying party trust.

   9. In the Choose Access Control Policy page, leave the Policy as Permit everyone and click Next.

   10. Click Finish.

       ADFS adds a new Relying Party Trusts entry.

4. Add a rule to the relying party trust you created.

   1. In the Relying Party Trusts page, find the Prisma Access node you just added in the selections on the right, then select Edit Claim Issuance Policy.

   2. In the Edit Claim Issuance Policy page, click Add Rule.

   3. In the Select Rule Template page, select Send LDAP attributes as Claims as the Claim rule template and click Next.

   4. In the Configure Rule window, add an LDAP Attribute of SAM-Account-Name and an Outgoing Claim Type of Name ID.

      By default, the Prisma Access security processing nodes expect the username attribute in the SAML response from the Identity Provider (IdP).

   5. Click Apply then click OK.

      The Prisma Access node displays in the list of Relying Party Trusts.

5. Add the remaining security processing nodes in Prisma Access as Relying Party Trusts.
6. Download the federation metadata XML file and the ADFS CA certificate to a local machine for import into Prisma Access:

   1. To download the metadata file, start AD FS Management on the server running ADFS, then select AD FSServiceEndpoints and find the URL to download the file. The URL is in the format https://<adfs-server-hostname>/FederationMetadata/2007-06/FederationMetadata.xml, where <adfs-server-hostname> is the host name for the ADFS server.
   2. If the certificate that the ADFS server uses to sign SAML responses is not signed by a well-known, third-party CA, export the CA certificate so that you can import it into Prisma Access.

7. Import the metadata file and the CA certificate (if needed) from ADFS into Prisma Access.

   1. Log in to the Strata Cloud Manager on the hub and select ConfigureMobile UsersGo To Summary and Edit the Enterprise Authentication configuration.
   2. In SAML IdP Profile click Add SAML IdP Profile and Import the metadata file you exported from the ADFS server.
   3. Save the IdP profile.