>
    Strata Copilot
    Configure ADFS as a SAML Provider for Mobile Users (Panorama)
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Authenticate Mobile Users
    4. Configure ADFS as a SAML Provider for Mobile Users
    5. Configure ADFS as a SAML Provider for Mobile Users (Panorama)
    Download PDF
    Prisma Access

    Configure ADFS as a SAML Provider for Mobile Users (Panorama)

    Table of Contents

    Configure ADFS as a SAML Provider for Mobile Users (Panorama)

    Make sure that ADFS is using an SSL certificate issued by a trusted certificate authority (CA). If the CA is self-signed and belongs to the organization, import the CA certificate into Panorama Certificate ManagementCertificatesImport) under the Mobile_User_Template.
    The examples in this section show the ADFS server being configured on Windows Server 2016.

    Configure ADFS on the ADFS Server

    For ADFS to work with Prisma Access, you must add all configuration associated with mobile users as a Relying Party Trust. Add this information by completing the following steps.
    1. Retrieve the list of URLs associated with the cloud-based portals and gateways.
      1. In Panorama, select PanoramaCloud ServicesStatus, then select Mobile Users.
      2. Copy the URLs of the Portals and Gateways that display.
    2. Add each Prisma Access portal and gateway as a Relying Party Trust to the Windows server.
      1. On the server running AD FS, start AD FS Management.
      2. In the Navigation Pane, expand Trust Relationships, and then select Relying Party Trusts.
      3. On the Actions menu located in the right column, select Add Relying Party Trust.
      4. In the Add Relying Party Trust Wizard page, select Claims aware and click Start.
      5. In the Select Data Source page, select Enter data about the relying party manually and click Next.
      6. In the Specify Display Name page, enter the name for the first relying party (one of the Prisma Access gateways or portals) and click Next.
        This example specifies one of the cloud Gateways from Prisma Access as a relying party.
      7. In the Configure URL page, enter the SAML single sign-on URL for the gateway; then click Next.
        The URL is in the format https://<gateway-hostname>:443/SAML20/SP/ACS, where <gateway-hostname> is the name of the Prisma Access gateway you are configuring as a relying party trust.
      8. In the Configure Identifiers page, enter the relying party trust identifier for the gateway; then click Next.
        The relying party trust identifier URL is in the format https://<gateway-hostname>:443/SAML20/SP, where <gateway-hostname> is the name of the Prisma Access gateway you are configuring as a relying party trust.
      9. In the Choose Access Control Policy page, leave the Policy as Permit everyone and click Next.
      10. Click Finish.
        ADFS adds a new Relying Party Trusts entry.
    3. Add a rule to the relying party trust you created.
      1. In the Relying Party Trusts page, find the gateway you just added in the selections on the right, then select Edit Claim Issuance Policy.
      2. In the Edit Claim Issuance Policy page, click Add Rule.
      3. In the Select Rule Template page, select Send LDAP attributes as Claims as the Claim rule template and click Next.
      4. In the Configure Rule window, add an LDAP Attribute of SAML-Account-Name and an Outgoing Claim Type of Name ID.
        By default, the Prisma Access portal and gateways expect to see the username attribute in the SAML response from the Identity Provider (IdP).
      5. Click Apply then click OK.
        The gateway displays in the list of Relying Party Trusts.
    4. (Optional) If you use a certificate issued by a Certificate Authority (CA), add it as a token signing certificate and enable IdP provider certificate validation on ADFS.
      1. Generate a certificate using your enterprise CA.
      2. Add the token signing certificate on ADFS.
        Use the instructions on the Microsoft website to add the certificate.
    5. Add all the gateways and portals in Prisma Access as Relying Party Trusts by completing Step 2 and Step 3 for the remaining Prisma Access portals and gateways.

    Configure ADFS on Panorama

    Complete ADFS configuration by performing the following steps in Panorama.
    1. In Panorama, select DeviceServer ProfilesSAML Identity Provider.
      Make sure that you select Mobile_User_Template in the Templates area.
    2. Import a new SAML Identity Provider.
      1. Give the profile a Profile Name.
      2. Click Browse next to the Identity Provider Metadata field and import the federation metadata XML file you downloaded to your local machine.
      3. (Optional) If you configured a CA-issued certificate in Configure ADFS on the ADFS Server, select Validate Identity Provider Certificate.
    3. (Optional) if you are using a CA-issued certificate, import the certificate and create a certificate profile.
      1. Select Certificate ManagementCertificates and Import the IdP root certificate into Panorama.
      2. Select DeviceDevice ManagementCertificate Management and Add a certificate profile; then, Add a CA Certificate, specifying the certificate you just imported.
    4. Select DeviceAuthentication Profile and Add a new Authentication Profile, specifying the following options:
      • Select the server type as SAML
      • (Optional) If you configured a CA-issued certificate in Configure ADFS on the ADFS Server, select the Certificate Profile that you created for the certificate; otherwise, leave the default of None.
      Leave the other fields unchanged.
      After you add the authentication profile, you can use it with portal and gateway authentication.
      To check authentication-related messages in the system logs, use a filter of subtype eq auth.

    © 2026 Palo Alto Networks, Inc. All rights reserved.