Prisma Access
Configure ADFS as a SAML Provider for Mobile Users
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
5.2 Preferred and Innovation
- 5.2 Preferred and Innovation
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
-
- Allocate Licenses for Prisma Access (Managed by Strata Cloud Manager)
- Plan Service Connections for Prisma Access (Managed by Strata Cloud Manager) and Add-ons
- Add Additional Locations for Prisma Access (Managed by Strata Cloud Manager) and Add-ons
- Enable Available Add-ons for Prisma Access (Managed by Strata Cloud Manager)
- Search for Subscription Details
- Share a License for Prisma Access (Managed by Strata Cloud Manager) and Add-ons
- Increase Subscription Allocation Quantity
-
- Activate a License for Prisma Access (Managed by Strata Cloud Manager) and Prisma SD-WAN Bundle
- Activate and Edit a License for SASE 5G Through Common Services
-
- Onboard Prisma Access
-
4.0 & Later
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
- Prisma Access China
-
- Set Up Prisma Access
- Configure the Prisma Access Service Infrastructure
- Remote Networks: IPSec Termination Nodes and Service IP Addresses
- Remote Networks: IP Address Changes Related To Bandwidth Allocation
- Remote Networks: Service IP Address and Egress IP Address Allocation
- API Examples for Retrieving Prisma Access IP Addresses
- Get Notifications When Prisma Access IP Addresses Change
- Prisma Access Zones
- DNS for Prisma Access
- High Availability for Prisma Access
-
- Enable ZTNA Connector
- Delete Connector IP Blocks
- Set Up Auto Discovery of Applications Using Cloud Identity Engine
- Private Application Target Discovery
- Security Policy for Apps Enabled with ZTNA Connector
- Monitor ZTNA Connector
- View ZTNA Connector Logs
- Preserve User-ID Mapping for ZTNA Connector Connections with Source NAT
-
- Enable Dynamic Privilege Access for Prisma Access Through Common Services
- Authorize User Group Mapping in Cloud Identity Engine for Dynamic Privilege Access
- Enable the Access Agent
- Set Up the Agent Infrastructure for Dynamic Privilege Access
- Create a Snippet
- Create a Project
- Traffic Steering for Dynamic Privilege Access
- Push the Prisma Access Agent Configuration
- Download the Dynamic Privilege Access Enabled Prisma Access Agent Package
-
- Install the Prisma Access Agent
- Log in to the Dynamic Privilege Access Enabled Prisma Access Agent
- Change Preferences for the Dynamic Privilege Access Enabled Prisma Access Agent
- Connect the Dynamic Privilege Access Enabled Prisma Access Agent to a Different Location
- Switch to a Different Project
- Connect the Dynamic Privilege Access Enabled Prisma Access Agent to a Different Server
- Disable the Dynamic Privilege Access Enabled Prisma Access Agent
- Switch Between the Prisma Access Agent and GlobalProtect App
- View and Monitor Dynamic Privilege Access Users
- View and Monitor Dynamic Privilege Access Projects
- Manage Prisma SASE 5G
- App Acceleration in Prisma Access
-
-
- Planning Checklist for GlobalProtect on Prisma Access
- Set Up GlobalProtect Mobile Users
- GlobalProtect — Customize Tunnel Settings
- GlobalProtect — Customize App Settings
- Ticket Request to Disable GlobalProtect
- GlobalProtect Pre-Logon
- GlobalProtect — Clientless VPN
- Monitor GlobalProtect Mobile Users
- How the GlobalProtect App Selects Prisma Access Locations for Mobile Users
- Allow Listing GlobalProtect Mobile Users
-
- Explicit Proxy Configuration Guidelines
- GlobalProtect in Proxy Mode
- GlobalProtect in Tunnel and Proxy Mode
- Private IP Address Visibility and Enforcement for Agent Based Proxy Traffic
- SAML Authentication for Explicit Proxy
- Set Up Explicit Proxy
- Cloud Identity Engine Authentication for Explicit Proxy Deployments
- Proxy Mode on Remote Networks
- How Explicit Proxy Identifies Users
- Explicit Proxy Forwarding Profiles
- PAC File Guidelines
- Explicit Proxy Best Practices
- Monitor and Troubleshoot Explicit Proxy
- Block Settings for Explicit Proxy
- Use Special Objects to Restrict Explicit Proxy Internet Traffic to Specific IP Addresses
- Access Your Data Center Using Explicit Proxy
- App-Based Office 365 Integration with Explicit Proxy
- Chromebook with Prisma Access Explicit Proxy
- Configure Proxy Chaining with Blue Coat Proxy
- Configure Proxy Chaining on Prisma Access Explicit Proxy
- IP Address Optimization for Explicit Proxy Users- Proxy Deployments
- DNS Resolution for Mobile Users—Explicit Proxy Deployments
- View User to IP Address or User Groups Mappings
- Report Mobile User Site Access Issues
- Enable Mobile Users to Access Corporate Resources
-
-
- Planning Checklist for Remote Networks
- Allocate Remote Network Bandwidth
- Onboard a Remote Network
- Connect a Remote Network Site to Prisma Access
- Enable Routing for Your Remote Network
- Onboard Multiple Remote Networks
- Configure Remote Network and Service Connection Connected with a WAN Link
- Remote Networks—High Performance
- Integrate a Shared Desktop VDI with Prisma Access Using Terminal Server
-
- Multitenancy Configuration Overview
- Plan Your Multitenant Deployment
- Create an All-New Multitenant Deployment
- Enable Multitenancy and Migrate the First Tenant
- Add Tenants to Prisma Access
- Delete a Tenant
- Create a Tenant-Level Administrative User
- Sort Logs by Device Group ID in a Multitenant Deployment
-
- Add a New Compute Location for a Deployed Prisma Access Location
- How BGP Advertises Mobile User IP Address Pools for Service Connections and Remote Network Connections
- Proxy Support for Prisma Access and Strata Logging Service
- Block Incoming Connections from Specific Countries
- Prisma Access for No Default Route Networks
-
-
- Default Routes With Prisma Access Traffic Steering
- Traffic Steering in Prisma Access
- Traffic Steering Requirements
- Default Routes with Traffic Steering Example
- Default Routes with Traffic Steering Direct to Internet Example
- Default Routes with Traffic Steering and Dedicated Service Connection Example
- Prisma Access Traffic Steering Rule Guidelines
- Configure Zone Mapping and Security Policies for Traffic Steering Dedicated Connections
- Configure Traffic Steering in Prisma Access
- Preserve User-ID and Device-ID Mapping for Service Connections with Source NAT
-
- Prisma Access Internal Gateway
-
- Configure Privileged Remote Access Settings
- Set Up the Privileged Remote Access Portal
- Configure Applications for Privileged Remote Access
- Set Up Privileged Remote Access Profiles
- Define Permissions for Accessing Privileged Remote Access Apps
- Configure Split Tunneling for Privileged Remote Access Traffic
- Manage Privileged Remote Access Connections
- Use Privileged Remote Access
-
- Integrate Prisma Access With Other Palo Alto Networks Apps
- Integrate Third-Party Enterprise Browser with Explicit Proxy
- Integrate Third-Party NDRs with Prisma Access
-
-
- Connect your Mobile Users in Mainland China to Prisma Access Overview
- Configure Prisma Access for Mobile Users in China
- Configure Real-Name Registration and Create the VPCs in Alibaba Cloud
- Attach the CEN and Specify the Bandwidth
- Create Linux Instances in the Alibaba Cloud VPCs
- Configure the Router Instances
- Onboard the GlobalProtect Gateway and Configure the Prisma Access Portal
-
-
-
- INC_CIE_AGENT_DISCONNECT
- INC_CIE_DIRECTORY_DISCONNECT
- INC_GLOBALPROTECT_GW_USER_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_ALL_PA_LOCATIONS
- INC_GLOBALPROTECT_GW_USER_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_PER_PA_LOCATION
- INC_GLOBALPROTECT_PORTAL_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_ALL_PA_LOCATIONS
- INC_GLOBALPROTECT_PORTAL_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_PER_PA_LOCATION
- INC_MU_AUTH_SERVER_UNREACHABLE_ALL_ PA_LOCATIONS
- INC_MU_AUTH_SERVER_UNREACHABLE_PER_ PA_LOCATION
- INC_MU_DNS_SERVER_UNREACHABLE_ALL_ PA_LOCATIONS
- INC_MU_DNS_SERVER_UNREACHABLE_ PER_PA_LOCATION
- INC_PORTAL_CLIENTLESS_VPN_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_ALL_PA_LOCATIONS
- INC_PORTAL_CLIENTLESS_VPN_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_PER_PA_LOCATION
- INC_RN_AUTH_SERVER_UNREACHABLE_ALL_ PA_LOCATIONS
- INC_RN_AUTH_SERVER_UNREACHABLE_PER_ PA_LOCATION
- INC_RN_DNS_SERVER_UNREACHABLE_ALL_ PA_LOCATIONS
- INC_RN_DNS_SERVER_UNREACHABLE_PER_ PA_LOCATION
- INC_RN_ECMP_TUNNEL_RTT_EXCEEDED_ BASELINE
- INC_RN_PRIMARY_WAN_TUNNEL_RTT_ EXCEEDED_BASELINE
- INC_RN_SECONDARY_TUNNEL_DOWN
- INC_RN_SECONDARY_WAN_TUNNEL_RTT_ EXCEEDED_BASELINE
- INC_RN_SITE_CAPACITY_PREDICTION
- INC_SC_PRIMARY_WAN_TUNNEL_RTT_ EXCEEDED_BASELINE
- INC_SC_SECONDARY_WAN_TUNNEL_RTT_ EXCEEDED_BASELINE
- INC_SC_SITE_CAPACITY_PREDICTION
-
- INC_CERTIFICATE_EXPIRY
- INC_GP_CLIENT_VERSION_UNSUPPORTED
- INC_MU_IP_POOL_BLOCK_UTILIZATION_ EXCEEDED_CAPACITY
- INC_MU_IP_POOL_BLOCK_UTILIZATION_ EXCEEDED_THRESHOLD
- INC_PA_INFRA_DEGRADATION
- INC_PA_SERVICE_DEGRADATION_PA_LOCATION
- INC_PA_SERVICE_DEGRADATION_RN_ SITE_CONNECTIVITY
- INC_PA_SERVICE_DEGRADATION_SC_ CONNECTIVITY
- INC_RN_ECMP_BGP_DOWN
- INC_RN_ECMP_BGP_FLAP
- INC_RN_ECMP_PROXY_TUNNEL_DOWN
- INC_RN_ECMP_PROXY_TUNNEL_FLAP
- INC_RN_ECMP_TUNNEL_DOWN
- INC_RN_ECMP_TUNNEL_FLAP
- INC_RN_PRIMARY_WAN_BGP_FLAP
- INC_RN_PRIMARY_WAN_PROXY_TUNNEL_DOWN
- INC_RN_PRIMARY_WAN_PROXY_TUNNEL_FLAP
- INC_RN_PRIMARY_WAN_TUNNEL_DOWN
- INC_RN_PRIMARY_WAN_TUNNEL_FLAP
- INC_RN_SECONDARY_WAN_BGP_DOWN
- INC_RN_SECONDARY_WAN_BGP_FLAP
- INC_RN_SECONDARY_WAN_PROXY_TUNNEL_DOWN
- INC_RN_SECONDARY_WAN_PROXY_TUNNEL_FLAP
- INC_RN_SECONDARY_WAN_TUNNEL_DOWN
- INC_RN_SECONDARY_WAN_TUNNEL_FLAP
- INC_RN_SITE_DOWN
- INC_RN_SITE_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- INC_RN_SITE_LONG_DURATION_EXCEEDED_ CAPACITY
- INC_RN_SPN_LONG_DURATION_CAPACITY_EXCEEDED _THRESHOLD
- INC_RN_SPN_LONG_DURATION_EXCEEDED_ CAPACITY
- INC_SC_PRIMARY_WAN_BGP_DOWN
- INC_SC_PRIMARY_WAN_BGP_FLAP
- INC_SC_PRIMARY_WAN_PROXY_TUNNEL_DOWN
- INC_SC_PRIMARY_WAN_PROXY_TUNNEL_FLAP
- INC_SC_PRIMARY_WAN_TUNNEL_DOWN
- INC_SC_PRIMARY_WAN_TUNNEL_FLAP
- INC_SC_SECONDARY_WAN_BGP_DOWN
- INC_SC_SECONDARY_WAN_BGP_FLAP
- INC_SC_SECONDARY_WAN_PROXY_TUNNEL_DOWN
- INC_SC_SECONDARY_WAN_PROXY_TUNNEL_FLAP
- INC_SC_SECONDARY_WAN_TUNNEL_DOWN
- INC_SC_SECONDARY_WAN_TUNNEL_FLAP
- INC_SC_SITE_DOWN
- INC_SC_SITE_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- INC_SC_SITE_LONG_DURATION_EXCEEDED_ CAPACITY
- INC_ZTNA_CONNECTOR_APP_STATUS_DOWN
- INC_ZTNA_CONNECTOR_APP_STATUS_DOWN_PARTIAL
- INC_ZTNA_CONNECTOR_CPU_HIGH
- INC_ZTNA_CONNECTOR_MEMORY_HIGH
- INC_ZTNA_CONNECTOR_TUNNEL_DOWN
-
- AL_CIE_AGENT_DISCONNECT
- AL_CIE_DIRECTORY_DISCONNECT
- AL_MU_IP_POOL_CAPACITY
- AL_MU_IP_POOL_USAGE
- AL_RN_ECMP_BGP_DOWN
- AL_RN_ECMP_BGP_FLAP
- AL_RN_PRIMARY_WAN_BGP_DOWN
- AL_RN_PRIMARY_WAN_BGP_FLAP
- AL_RN_PRIMARY_WAN_TUNNEL_DOWN
- AL_RN_PRIMARY_WAN_TUNNEL_FLAP
- AL_RN_SECONDARY_WAN_BGP_DOWN
- AL_RN_SECONDARY_WAN_BGP_FLAP
- AL_RN_SECONDARY_WAN_TUNNEL_DOWN
- AL_RN_SECONDARY_WAN_TUNNEL_FLAP
- AL_RN_SITE_DOWN
- AL_RN_SITE_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- AL_RN_SITE_LONG_DURATION_EXCEEDED_ CAPACITY
- AL_RN_SPN_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- AL_SC_PRIMARY_WAN_BGP_DOWN
- AL_SC_PRIMARY_WAN_BGP_FLAP
- AL_SC_PRIMARY_WAN_TUNNEL_DOWN
- AL_SC_PRIMARY_WAN_TUNNEL_FLAP
- AL_SC_SECONDARY_WAN_BGP_DOWN
- AL_SC_SECONDARY_WAN_BGP_FLAP
- AL_SC_SECONDARY_WAN_TUNNEL_DOWN
- AL_SC_SECONDARY_WAN_TUNNEL_FLAP
- AL_SC_SITE_DOWN
- AL_SC_SITE_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- AL_SC_SITE_LONG_DURATION_EXCEEDED_CAPACITY
- AL_ZTNA_CONNECTOR_APP_STATUS_DOWN
- AL_ZTNA_CONNECTOR_APP_STATUS_DOWN_PARTIAL
- AL_ZTNA_CONNECTOR_CPU_HIGH
- AL_ZTNA_CONNECTOR_MEMORY_HIGH
- AL_ZTNA_CONNECTOR_TUNNEL_DOWN
- New Features in Incidents and Alerts
- Known Issues
Configure ADFS as a SAML Provider for Mobile Users
Where Can I Use This? | What Do I Need? |
---|---|
|
|
This section describes the steps you perform to integrate Prisma Access with Active
Directory Federation Services (ADFS) 4.0 as a Security Assertion Markup Language
(SAML) identity provider.
Prisma Access users provides enterprise authentication via SAML. When a mobile user
attempts to connect, Prisma Access, acting as the SAML service provider, or SP,
returns an authentication request to the client browser, which in turn sends it to
your SAML identity provider (IdP) to authenticate the user. Use the following
procedure to configure a trust relationship between Prisma Access and your Active
Directory Federation Services (ADFS) 4.0 IdP.
Before you start this procedure, make sure that the ADFS server has the following
prerequisites:
- Check that you can navigate to your AD FS namespace’s initiated sign-on page. The URL is in the format https://<namespace><adfs-server-hostname>/adfs/ls/idpinitiatedsignon.aspx, where <namespace> is the namespace for the ADFS server (either adfs. or, if you use the Secure Token Service (STS), sts.) and <adfs-server-hostname> is the host name for the ADFS server.An example URL is https://adfs.hooli.com/adfs/ls/idpinitiatedsignon.aspx.
- Make sure that you downloaded the federation metadata XML file to a local machine. You must import this file into Panorama to complete the SAML identity provider configuration.To download this file, start AD FS Management on the server running ADFS, then select AD FSServiceEndpoints and find the URL to download the file. The URL is in the format https://<adfs-server-hostname>/FederationMetadata/2007-06/FederationMetadata.xml, where <adfs-server-hostname> is the host name for the ADFS server.
Configure ADFS as a SAML Provider for Mobile Users (Strata Cloud Manager)
Configure Prisma Access to establish a trust relationship between Prisma Access and
your ADFS IdP for SAML 2.0 to enable authentication for your mobile users.
Before you begin, make sure that you can navigate to your AD FS namespace’s initiated
sign-on page. The URL is in the format
https://<namespace><adfs-server-hostname>/adfs/ls/idpinitiatedsignon.aspx,
where <namespace> is the namespace for the ADFS server (either
adfs. or, if you use the Secure Token Service (STS), sts.) and
<adfs-server-hostname> is the host name for the ADFS
server. An example URL is
https://adfs.acme.com/adfs/ls/idpinitiatedsignon.aspx.
- Enable Mobile Users to Authenticate to Prisma Access.Complete the steps for defining the Service Provider (SP) settings, including generating or importing the certificate that Prisma Access uses to sign SAML messages that it sends to the identity provider (IdP).
- Export the Prisma Access signing certificate so that you can import it onto your IdP.
- Add each Prisma Access portal and gateway as a Relying Party Trust to the Windows server.
- On the server running AD FS, start AD FS Management.
- In the Navigation Pane, expand Trust Relationships, and then select Relying Party Trusts.
- On the Actions menu located in the right column, select Add Relying Party Trust.
- In the Add Relying Party Trust Wizard page, select Claims aware and click Start.
- In the Select Data Source page, select Enter data about the relying party manually and click Next.
- In the Specify Display Name page, enter the name for the first relying party (one of the IP addresses in the list of security processing nodes you exported from Prisma Access) and click Next.This example specifies one of the security processing nodes from Prisma Access as a relying party.
- In the Configure URL page, enter the SAML single sign-on URL you configured for Prisma Access and then click Next.The URL is in the format https://<prisma-access-hostname>:433/SAML20/SP/ACS, where <prisma-access-hostname> is the name of the Prisma Access gateway you are configuring as a relying party trust.
- In the Configure Identifiers page, enter the relying party trust identifier for Prisma Access and then click Next.The relying party trust identifier URL is in the format https://<prisma-access-hostname>:443/SAML20/SP, where <prisma-access-hostname> is the name of the Prisma Access security processing node you are configuring as a relying party trust.
- In the Choose Access Control Policy page, leave the Policy as Permit everyone and click Next.
- Click Finish.ADFS adds a new Relying Party Trusts entry.
- Add a rule to the relying party trust you created.
- In the Relying Party Trusts page, find the Prisma Access node you just added in the selections on the right, then select Edit Claim Issuance Policy.
- In the Edit Claim Issuance Policy page, click Add Rule.
- In the Select Rule Template page, select Send LDAP attributes as Claims as the Claim rule template and click Next.
- In the Configure Rule window, add an LDAP Attribute of SAM-Account-Name and an Outgoing Claim Type of Name ID.By default, the Prisma Access security processing nodes expect the username attribute in the SAML response from the Identity Provider (IdP).
- Click Apply then click OK.The Prisma Access node displays in the list of Relying Party Trusts.
- Add the remaining security processing nodes in Prisma Access as Relying Party Trusts.
- Download the federation metadata XML file and the ADFS CA certificate to a local machine for import into Prisma Access:
- To download the metadata file, start AD FS Management on the server running ADFS, then select AD FSServiceEndpoints and find the URL to download the file. The URL is in the format https://<adfs-server-hostname>/FederationMetadata/2007-06/FederationMetadata.xml, where <adfs-server-hostname> is the host name for the ADFS server.
- If the certificate that the ADFS server uses to sign SAML responses is not signed by a well-known, third-party CA, export the CA certificate so that you can import it into Prisma Access.
- Import the metadata file and the CA certificate (if needed) from ADFS into Prisma Access.
- Log in to the Strata Cloud Manager on the hub and select ConfigureMobile UsersGo To Summary and Edit the Enterprise Authentication configuration.
- In SAML IdP Profile click Add SAML IdP Profile and Import the metadata file you exported from the ADFS server.
- Save the IdP profile.
Configure ADFS as a SAML Provider for Mobile Users (Panorama)
Make sure that ADFS is using an SSL certificate issued by a trusted certificate
authority (CA). If the CA is self-signed and belongs to the organization, import the
CA certificate into Panorama Certificate ManagementCertificatesImport) under the Mobile_User_Template.
The examples in this section show the ADFS server being configured on Windows
Server 2016.
Configure ADFS on the ADFS Server
For ADFS to work with Prisma Access, you must add all configuration associated
with mobile users as a Relying Party Trust. Add this information by completing
the following steps.
- Retrieve the list of URLs associated with the cloud-based portals and gateways.
- In Panorama, select PanoramaCloud ServicesStatus, then select Mobile Users.
- Copy the URLs of the Portals and Gateways that display.
- Add each Prisma Access portal and gateway as a Relying Party Trust to the Windows server.
- On the server running AD FS, start AD FS Management.
- In the Navigation Pane, expand Trust Relationships, and then select Relying Party Trusts.
- On the Actions menu located in the right column, select Add Relying Party Trust.
- In the Add Relying Party Trust Wizard page, select Claims aware and click Start.
- In the Select Data Source page, select Enter data about the relying party manually and click Next.
- In the Specify Display Name page, enter the name for the first relying party (one of the Prisma Access gateways or portals) and click Next.This example specifies one of the cloud Gateways from Prisma Access as a relying party.
- In the Configure URL page, enter the SAML single sign-on URL for the gateway; then click Next.The URL is in the format https://<gateway-hostname>:443/SAML20/SP/ACS, where <gateway-hostname> is the name of the Prisma Access gateway you are configuring as a relying party trust.
- In the Configure Identifiers page, enter the relying party trust identifier for the gateway; then click Next.The relying party trust identifier URL is in the format https://<gateway-hostname>:443/SAML20/SP, where <gateway-hostname> is the name of the Prisma Access gateway you are configuring as a relying party trust.
- In the Choose Access Control Policy page, leave the Policy as Permit everyone and click Next.
- Click Finish.ADFS adds a new Relying Party Trusts entry.
- Add a rule to the relying party trust you created.
- In the Relying Party Trusts page, find the gateway you just added in the selections on the right, then select Edit Claim Issuance Policy.
- In the Edit Claim Issuance Policy page, click Add Rule.
- In the Select Rule Template page, select Send LDAP attributes as Claims as the Claim rule template and click Next.
- In the Configure Rule window, add an LDAP Attribute of SAML-Account-Name and an Outgoing Claim Type of Name ID.By default, the Prisma Access portal and gateways expect to see the username attribute in the SAML response from the Identity Provider (IdP).
- Click Apply then click OK.The gateway displays in the list of Relying Party Trusts.
- (Optional) If you use a certificate issued by a Certificate Authority (CA), add it as a token signing certificate and enable IdP provider certificate validation on ADFS.
- Generate a certificate using your enterprise CA.
- Add the token signing certificate on ADFS.Use the instructions on the Microsoft website to add the certificate.
- Add all the gateways and portals in Prisma Access as Relying Party Trusts by completing Step2and Step3for the remaining Prisma Access portals and gateways.
Configure ADFS on Panorama
Complete ADFS configuration by performing the following steps in Panorama.
- In Panorama, select DeviceServer ProfilesSAML Identity Provider.Make sure that you select Mobile_User_Template in the Templates area.
- Import a new SAML Identity Provider.
- Give the profile a Profile Name.
- Click Browse next to the Identity Provider Metadata field and import the federation metadata XML file you downloaded to your local machine.
- (Optional) If you configured a CA-issued certificate inConfigure ADFS on the ADFS Server, select Validate Identity Provider Certificate.
- (Optional) if you are using a CA-issued certificate, import the certificate and create a certificate profile.
- Select Certificate ManagementCertificates and Import the IdP root certificate into Panorama.
- Select DeviceDevice ManagementCertificate Management and Add a certificate profile; then, Add a CA Certificate, specifying the certificate you just imported.
- Select DeviceAuthentication Profile and Add a new Authentication Profile, specifying the following options:
- Select the server type as SAML
- (Optional) If you configured a CA-issued certificate inConfigure ADFS on the ADFS Server, select the Certificate Profile that you created for the certificate; otherwise, leave the default of None.
Leave the other fields unchanged.After you add the authentication profile, you can use it with portal and gateway authentication.To check authentication-related messages in the system logs, use a filter of subtype eq auth.