Prisma Access
Configure ADFS as a SAML Provider for Mobile Users
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Configure ADFS as a SAML Provider for Mobile Users
Where Can I Use
This? | What Do I Need? |
---|---|
|
|
This section describes the steps you perform to integrate Prisma Access with Active
Directory Federation Services (ADFS) 4.0 as a Security Assertion Markup Language
(SAML) identity provider.
Prisma Access users provides enterprise authentication via SAML. When a mobile user
attempts to connect, Prisma Access, acting as the SAML service provider, or SP,
returns an authentication request to the client browser, which in turn sends it to
your SAML identity provider (IdP) to authenticate the user. Use the following
procedure to configure a trust relationship between Prisma Access and your Active
Directory Federation Services (ADFS) 4.0 IdP.
Before you start this procedure, make sure that the ADFS server has the following
prerequisites:
- Check that you can navigate to your AD FS namespace’s initiated sign-on page. The URL is in the formathttps://<namespace><adfs-server-hostname>/adfs/ls/idpinitiatedsignon.aspx, where<namespace>is the namespace for the ADFS server (eitheradfs.or, if you use the Secure Token Service (STS),sts.) and<adfs-server-hostname>is the host name for the ADFS server.An example URL ishttps://adfs.hooli.com/adfs/ls/idpinitiatedsignon.aspx.
- Make sure that you downloaded the federation metadata XML file to a local machine. You must import this file into Panorama to complete the SAML identity provider configuration.To download this file, start AD FS Management on the server running ADFS, then selectand find the URL to download the file. The URL is in the formatAD FSServiceEndpointshttps://<adfs-server-hostname>/FederationMetadata/2007-06/FederationMetadata.xml, where<adfs-server-hostname>is the host name for the ADFS server.
Cloud Management
Cloud Management
Configure Prisma Access to establish a trust relationship between Prisma Access and
your ADFS IdP for SAML 2.0 to enable authentication for your mobile users.
Before you begin, make sure that you can navigate to your AD FS namespace’s initiated
sign-on page. The URL is in the format
https://
<namespace>
<adfs-server-hostname>
/adfs/ls/idpinitiatedsignon.aspx
,
where <namespace>
is the namespace for the ADFS server (either
adfs.
or, if you use the Secure Token Service (STS), sts.
) and
<adfs-server-hostname>
is the host name for the ADFS
server. An example URL is
https://adfs.acme.com/adfs/ls/idpinitiatedsignon.aspx
.- Complete the steps for defining the Service Provider (SP) settings, including generating or importing the certificate that Prisma Access uses to sign SAML messages that it sends to the identity provider (IdP).
- Export the Prisma Access signing certificate so that you can import it onto your IdP.
- Add each Prisma Access portal and gateway as aRelying Party Trustto the Windows server.
- On the server running AD FS, start AD FS Management.
- In theNavigation Pane, expandTrust Relationships, and then selectRelying Party Trusts.
- On theActionsmenu located in the right column, selectAdd Relying Party Trust.
- In theAdd Relying Party Trust Wizardpage, selectClaims awareand clickStart.
- In theSelect Data Sourcepage, selectEnter data about the relying party manuallyand clickNext.
- In theSpecify Display Namepage, enter the name for the first relying party (one of the IP addresses in the list of security processing nodes you exported from Prisma Access) and clickNext.This example specifies one of the security processing nodes from Prisma Access as a relying party.
- In theConfigure URLpage, enter the SAML single sign-on URL you configured for Prisma Access and then clickNext.The URL is in the formathttps://<prisma-access-hostname>:433/SAML20/SP/ACS, where<prisma-access-hostname>is the name of the Prisma Access gateway you are configuring as a relying party trust.
- In theConfigure Identifierspage, enter the relying party trust identifier for Prisma Access and then clickNext.The relying party trust identifier URL is in the formathttps://<prisma-access-hostname>:443/SAML20/SP, where<prisma-access-hostname>is the name of the Prisma Access security processing node you are configuring as a relying party trust.
- In theChoose Access Control Policypage, leave thePolicyasPermit everyoneand clickNext.
- ClickFinish.ADFS adds a newRelying Party Trustsentry.
- Add a rule to the relying party trust you created.
- In theRelying Party Trustspage, find the Prisma Access node you just added in the selections on the right, then selectEdit Claim Issuance Policy.
- In theEdit Claim Issuance Policypage, clickAdd Rule.
- In theSelect Rule Templatepage, selectSend LDAP attributes as Claimsas the Claim rule template and clickNext.
- In theConfigure Rulewindow, add anLDAP AttributeofSAM-Account-Nameand anOutgoing Claim TypeofName ID.By default, the Prisma Access security processing nodes expect theusernameattribute in the SAML response from the Identity Provider (IdP).
- ClickApplythen clickOK.The Prisma Access node displays in the list ofRelying Party Trusts.
- Add the remaining security processing nodes in Prisma Access as Relying Party Trusts.
- Download the federation metadata XML file and the ADFS CA certificate to a local machine for import into Prisma Access:
- To download the metadata file, start AD FS Management on the server running ADFS, then selectand find the URL to download the file. The URL is in the formatAD FSServiceEndpointshttps://<adfs-server-hostname>/FederationMetadata/2007-06/FederationMetadata.xml, where<adfs-server-hostname>is the host name for the ADFS server.
- If the certificate that the ADFS server uses to sign SAML responses is not signed by a well-known, third-party CA, export the CA certificate so that you can import it into Prisma Access.
- Import the metadata file and the CA certificate (if needed) from ADFS into Prisma Access.
- Log in to the Prisma Access app on the hub and selectandConfigureMobile UsersGo To SummaryEditthe Enterprise Authentication configuration.
- InSAML IdP ProfileclickAdd SAML IdP ProfileandImportthe metadata file you exported from the ADFS server.
- Savethe IdP profile.
Panorama
Panorama
Make sure that ADFS is using an SSL certificate issued by a trusted certificate
authority (CA). If the CA is self-signed and belongs to the organization, import the
CA certificate into Panorama ) under the
Certificate Management
Certificates
Import
Mobile_User_Template
.The examples in this section show the ADFS server being configured on Windows
Server 2016.
Configure ADFS on the ADFS Server
For ADFS to work with Prisma Access, you must add all configuration associated
with mobile users as a Relying Party Trust. Add this information by completing
the following steps.
- Retrieve the list of URLs associated with the cloud-based portals and gateways.
- In Panorama, select, then selectPanoramaCloud ServicesStatusMobile Users.
- Copy the URLs of thePortalsandGatewaysthat display.
- Add each Prisma Access portal and gateway as aRelying Party Trustto the Windows server.
- On the server running AD FS, start AD FS Management.
- In theNavigation Pane, expandTrust Relationships, and then selectRelying Party Trusts.
- On theActionsmenu located in the right column, selectAdd Relying Party Trust.
- In theAdd Relying Party Trust Wizardpage, selectClaims awareand clickStart.
- In theSelect Data Sourcepage, selectEnter data about the relying party manuallyand clickNext.
- In theSpecify Display Namepage, enter the name for the first relying party (one of the Prisma Access gateways or portals) and clickNext.This example specifies one of the cloudGatewaysfrom Prisma Access as a relying party.
- In theConfigure URLpage, enter the SAML single sign-on URL for the gateway; then clickNext.The URL is in the formathttps://<gateway-hostname>:443/SAML20/SP/ACS, where<gateway-hostname>is the name of the Prisma Access gateway you are configuring as a relying party trust.
- In theConfigure Identifierspage, enter the relying party trust identifier for the gateway; then clickNext.The relying party trust identifier URL is in the formathttps://<gateway-hostname>:443/SAML20/SP, where<gateway-hostname>is the name of the Prisma Access gateway you are configuring as a relying party trust.
- In theChoose Access Control Policypage, leave thePolicyasPermit everyoneand clickNext.
- ClickFinish.ADFS adds a newRelying Party Trustsentry.
- Add a rule to the relying party trust you created.
- In theRelying Party Trustspage, find the gateway you just added in the selections on the right, then selectEdit Claim Issuance Policy.
- In theEdit Claim Issuance Policypage, clickAdd Rule.
- In theSelect Rule Templatepage, selectSend LDAP attributes as Claimsas the Claim rule template and clickNext.
- In theConfigure Rulewindow, add anLDAP AttributeofSAML-Account-Nameand anOutgoing Claim TypeofName ID.By default, the Prisma Access portal and gateways expect to see theusernameattribute in the SAML response from the Identity Provider (IdP).
- ClickApplythen clickOK.The gateway displays in the list ofRelying Party Trusts.
- (Optional) If you use a certificate issued by a Certificate Authority (CA), add it as a token signing certificate and enable IdP provider certificate validation on ADFS.
- Generate a certificate using your enterprise CA.
- Add the token signing certificate on ADFS.Use the instructions on the Microsoft website to add the certificate.
Configure ADFS on Panorama
Complete ADFS configuration by performing the following steps in Panorama.
- In Panorama, select.DeviceServer ProfilesSAML Identity ProviderMake sure that you selectMobile_User_Templatein theTemplatesarea.
- Importa new SAML Identity Provider.
- Give the profile aProfile Name.
- ClickBrowsenext to theIdentity Provider Metadatafield and import the federation metadata XML file you downloaded to your local machine.
- (Optional) If you configured a CA-issued certificate in Configure ADFS on the ADFS Server, selectValidate Identity Provider Certificate.
- (Optional) if you are using a CA-issued certificate, import the certificate and create a certificate profile.
- SelectandCertificate ManagementCertificatesImportthe IdP root certificate into Panorama.
- SelectandDeviceDevice ManagementCertificate ManagementAdda certificate profile; then,AddaCA Certificate, specifying the certificate you just imported.
- SelectandDeviceAuthentication ProfileAdda new Authentication Profile, specifying the following options:
- Select the server type asSAML
- (Optional) If you configured a CA-issued certificate in Configure ADFS on the ADFS Server, select theCertificate Profilethat you created for the certificate; otherwise, leave the default ofNone.
Leave the other fields unchanged.After you add the authentication profile, you can use it with portal and gateway authentication.To check authentication-related messages in the system logs, use a filter ofsubtype eq auth.