Configure ADFS as a SAML Provider for Mobile Users
Focus
Focus
Prisma Access

Configure ADFS as a SAML Provider for Mobile Users

Table of Contents

Configure ADFS as a SAML Provider for Mobile Users

Where Can I Use This?
What Do I Need?
  • Prisma Access (Cloud Management)
  • Prisma Access (Panorama Managed)
This section describes the steps you perform to integrate Prisma Access with Active Directory Federation Services (ADFS) 4.0 as a Security Assertion Markup Language (SAML) identity provider.
Prisma Access users provides enterprise authentication via SAML. When a mobile user attempts to connect, Prisma Access, acting as the SAML service provider, or SP, returns an authentication request to the client browser, which in turn sends it to your SAML identity provider (IdP) to authenticate the user. Use the following procedure to configure a trust relationship between Prisma Access and your Active Directory Federation Services (ADFS) 4.0 IdP.
Before you start this procedure, make sure that the ADFS server has the following prerequisites:
  • Check that you can navigate to your AD FS namespace’s initiated sign-on page. The URL is in the format
    https://
    <namespace>
    <adfs-server-hostname>
    /adfs/ls/idpinitiatedsignon.aspx
    , where
    <namespace>
    is the namespace for the ADFS server (either
    adfs.
    or, if you use the Secure Token Service (STS),
    sts.
    ) and
    <adfs-server-hostname>
    is the host name for the ADFS server.
    An example URL is
    https://adfs.hooli.com/adfs/ls/idpinitiatedsignon.aspx
    .
  • Make sure that you downloaded the federation metadata XML file to a local machine. You must import this file into Panorama to complete the SAML identity provider configuration.
    To download this file, start AD FS Management on the server running ADFS, then select
    AD FS
    Service
    Endpoints
    and find the URL to download the file. The URL is in the format
    https://
    <adfs-server-hostname>
    /FederationMetadata/2007-06/FederationMetadata.xml
    , where
    <adfs-server-hostname>
    is the host name for the ADFS server.

Cloud Management

Configure Prisma Access to establish a trust relationship between Prisma Access and your ADFS IdP for SAML 2.0 to enable authentication for your mobile users.
Before you begin, make sure that you can navigate to your AD FS namespace’s initiated sign-on page. The URL is in the format
https://
<namespace>
<adfs-server-hostname>
/adfs/ls/idpinitiatedsignon.aspx
, where
<namespace>
is the namespace for the ADFS server (either
adfs.
or, if you use the Secure Token Service (STS),
sts.
) and
<adfs-server-hostname>
is the host name for the ADFS server. An example URL is
https://adfs.acme.com/adfs/ls/idpinitiatedsignon.aspx
.
  1. Complete the steps for defining the Service Provider (SP) settings, including generating or importing the certificate that Prisma Access uses to sign SAML messages that it sends to the identity provider (IdP).
  2. Export the Prisma Access signing certificate so that you can import it onto your IdP.
  3. Add each Prisma Access portal and gateway as a
    Relying Party Trust
    to the Windows server.
    1. On the server running AD FS, start AD FS Management.
    2. In the
      Navigation Pane
      , expand
      Trust Relationships
      , and then select
      Relying Party Trusts
      .
    3. On the
      Actions
      menu located in the right column, select
      Add Relying Party Trust
      .
    4. In the
      Add Relying Party Trust Wizard
      page, select
      Claims aware
      and click
      Start
      .
    5. In the
      Select Data Source
      page, select
      Enter data about the relying party manually
      and click
      Next
      .
    6. In the
      Specify Display Name
      page, enter the name for the first relying party (one of the IP addresses in the list of security processing nodes you exported from Prisma Access) and click
      Next
      .
      This example specifies one of the security processing nodes from Prisma Access as a relying party.
    7. In the
      Configure URL
      page, enter the SAML single sign-on URL you configured for Prisma Access and then click
      Next
      .
      The URL is in the format
      https://
      <prisma-access-hostname>
      :433/SAML20/SP/ACS
      , where
      <prisma-access-hostname>
      is the name of the Prisma Access gateway you are configuring as a relying party trust.
    8. In the
      Configure Identifiers
      page, enter the relying party trust identifier for Prisma Access and then click
      Next
      .
      The relying party trust identifier URL is in the format
      https://
      <prisma-access-hostname>
      :443/SAML20/SP
      , where
      <prisma-access-hostname>
      is the name of the Prisma Access security processing node you are configuring as a relying party trust.
    9. In the
      Choose Access Control Policy
      page, leave the
      Policy
      as
      Permit everyone
      and click
      Next
      .
    10. Click
      Finish
      .
      ADFS adds a new
      Relying Party Trusts
      entry.
  4. Add a rule to the relying party trust you created.
    1. In the
      Relying Party Trusts
      page, find the Prisma Access node you just added in the selections on the right, then select
      Edit Claim Issuance Policy
      .
    2. In the
      Edit Claim Issuance Policy
      page, click
      Add Rule
      .
    3. In the
      Select Rule Template
      page, select
      Send LDAP attributes as Claims
      as the Claim rule template and click
      Next
      .
    4. In the
      Configure Rule
      window, add an
      LDAP Attribute
      of
      SAM-Account-Name
      and an
      Outgoing Claim Type
      of
      Name ID
      .
      By default, the Prisma Access security processing nodes expect the
      username
      attribute in the SAML response from the Identity Provider (IdP).
    5. Click
      Apply
      then click
      OK
      .
      The Prisma Access node displays in the list of
      Relying Party Trusts
      .
  5. Add the remaining security processing nodes in Prisma Access as Relying Party Trusts.
  6. Download the federation metadata XML file and the ADFS CA certificate to a local machine for import into Prisma Access:
    1. To download the metadata file, start AD FS Management on the server running ADFS, then select
      AD FS
      Service
      Endpoints
      and find the URL to download the file. The URL is in the format
      https://
      <adfs-server-hostname>
      /FederationMetadata/2007-06/FederationMetadata.xml
      , where
      <adfs-server-hostname>
      is the host name for the ADFS server.
    2. If the certificate that the ADFS server uses to sign SAML responses is not signed by a well-known, third-party CA, export the CA certificate so that you can import it into Prisma Access.
  7. Import the metadata file and the CA certificate (if needed) from ADFS into Prisma Access.
    1. Log in to the Prisma Access app on the hub and select
      Configure
      Mobile Users
      Go To Summary
      and
      Edit
      the Enterprise Authentication configuration.
    2. In
      SAML IdP Profile
      click
      Add SAML IdP Profile
      and
      Import
      the metadata file you exported from the ADFS server.
    3. Save
      the IdP profile.

Panorama

Make sure that ADFS is using an SSL certificate issued by a trusted certificate authority (CA). If the CA is self-signed and belongs to the organization, import the CA certificate into Panorama
Certificate Management
Certificates
Import
) under the
Mobile_User_Template
.
The examples in this section show the ADFS server being configured on Windows Server 2016.

Configure ADFS on the ADFS Server

For ADFS to work with Prisma Access, you must add all configuration associated with mobile users as a Relying Party Trust. Add this information by completing the following steps.
  1. Retrieve the list of URLs associated with the cloud-based portals and gateways.
    1. In Panorama, select
      Panorama
      Cloud Services
      Status
      , then select
      Mobile Users
      .
    2. Copy the URLs of the
      Portals
      and
      Gateways
      that display.
  2. Add each Prisma Access portal and gateway as a
    Relying Party Trust
    to the Windows server.
    1. On the server running AD FS, start AD FS Management.
    2. In the
      Navigation Pane
      , expand
      Trust Relationships
      , and then select
      Relying Party Trusts
      .
    3. On the
      Actions
      menu located in the right column, select
      Add Relying Party Trust
      .
    4. In the
      Add Relying Party Trust Wizard
      page, select
      Claims aware
      and click
      Start
      .
    5. In the
      Select Data Source
      page, select
      Enter data about the relying party manually
      and click
      Next
      .
    6. In the
      Specify Display Name
      page, enter the name for the first relying party (one of the Prisma Access gateways or portals) and click
      Next
      .
      This example specifies one of the cloud
      Gateways
      from Prisma Access as a relying party.
    7. In the
      Configure URL
      page, enter the SAML single sign-on URL for the gateway; then click
      Next
      .
      The URL is in the format
      https://
      <gateway-hostname>
      :443/SAML20/SP/ACS
      , where
      <gateway-hostname>
      is the name of the Prisma Access gateway you are configuring as a relying party trust.
    8. In the
      Configure Identifiers
      page, enter the relying party trust identifier for the gateway; then click
      Next
      .
      The relying party trust identifier URL is in the format
      https://
      <gateway-hostname>
      :443/SAML20/SP
      , where
      <gateway-hostname>
      is the name of the Prisma Access gateway you are configuring as a relying party trust.
    9. In the
      Choose Access Control Policy
      page, leave the
      Policy
      as
      Permit everyone
      and click
      Next
      .
    10. Click
      Finish
      .
      ADFS adds a new
      Relying Party Trusts
      entry.
  3. Add a rule to the relying party trust you created.
    1. In the
      Relying Party Trusts
      page, find the gateway you just added in the selections on the right, then select
      Edit Claim Issuance Policy
      .
    2. In the
      Edit Claim Issuance Policy
      page, click
      Add Rule
      .
    3. In the
      Select Rule Template
      page, select
      Send LDAP attributes as Claims
      as the Claim rule template and click
      Next
      .
    4. In the
      Configure Rule
      window, add an
      LDAP Attribute
      of
      SAML-Account-Name
      and an
      Outgoing Claim Type
      of
      Name ID
      .
      By default, the Prisma Access portal and gateways expect to see the
      username
      attribute in the SAML response from the Identity Provider (IdP).
    5. Click
      Apply
      then click
      OK
      .
      The gateway displays in the list of
      Relying Party Trusts
      .
  4. (
    Optional
    ) If you use a certificate issued by a Certificate Authority (CA), add it as a token signing certificate and enable IdP provider certificate validation on ADFS.
    1. Generate a certificate using your enterprise CA.
    2. Add the token signing certificate on ADFS.
      Use the instructions on the Microsoft website to add the certificate.
  5. Add all the gateways and portals in Prisma Access as Relying Party Trusts by completing Step 2 and Step 3 for the remaining Prisma Access portals and gateways.

Configure ADFS on Panorama

Complete ADFS configuration by performing the following steps in Panorama.
  1. In Panorama, select
    Device
    Server Profiles
    SAML Identity Provider
    .
    Make sure that you select
    Mobile_User_Template
    in the
    Templates
    area.
  2. Import
    a new SAML Identity Provider.
    1. Give the profile a
      Profile Name
      .
    2. Click
      Browse
      next to the
      Identity Provider Metadata
      field and import the federation metadata XML file you downloaded to your local machine.
    3. (
      Optional
      ) If you configured a CA-issued certificate in Configure ADFS on the ADFS Server, select
      Validate Identity Provider Certificate
      .
  3. (
    Optional
    ) if you are using a CA-issued certificate, import the certificate and create a certificate profile.
    1. Select
      Certificate Management
      Certificates
      and
      Import
      the IdP root certificate into Panorama.
    2. Select
      Device
      Device Management
      Certificate Management
      and
      Add
      a certificate profile; then,
      Add
      a
      CA Certificate
      , specifying the certificate you just imported.
  4. Select
    Device
    Authentication Profile
    and
    Add
    a new Authentication Profile, specifying the following options:
    • Select the server type as
      SAML
    • (
      Optional
      ) If you configured a CA-issued certificate in Configure ADFS on the ADFS Server, select the
      Certificate Profile
      that you created for the certificate; otherwise, leave the default of
      None
      .
    Leave the other fields unchanged.
    After you add the authentication profile, you can use it with portal and gateway authentication.
    To check authentication-related messages in the system logs, use a filter of
    subtype eq auth
    .

Recommended For You