Configure ADFS as a SAML Provider for Mobile Users
This section describes the steps you perform
to integrate Prisma Access with Active Directory Federation Services
(ADFS) 4.0 as a Security Assertion Markup Language (SAML) identity
provider.
The examples in this section show the ADFS
server being configured on Windows Server 2016.
ADFS Server Prerequisites
Before you start this procedure, make sure
that the ADFS server has the following prerequisites:
- Make sure that ADFS is using an SSL certificate issued by a trusted certificate authority (CA). If the CA is self-signed and belongs to the organization, import the CA certificate into Panorama ) under theMobile_User_Template.
- Check that you can navigate to your AD FS namespace’s initiated sign-on page. The URL is in the formathttps://<namespace><adfs-server-hostname>/adfs/ls/idpinitiatedsignon.aspx, where<namespace>is the namespace for the ADFS server (eitheradfs.or, if you use the Secure Token Service (STS),sts.) and<adfs-server-hostname>is the host name for the ADFS server.An example URL ishttps://adfs.hooli.com/adfs/ls/idpinitiatedsignon.aspx.
- Make sure that you downloaded the federation metadata XML file to a local machine. You must import this file into Panorama to complete the SAML identity provider configuration.To download this file, start AD FS Management on the server running ADFS, then select and find the URL to download the file. The URL is in the formathttps://<adfs-server-hostname>/FederationMetadata/2007-06/FederationMetadata.xml, where<adfs-server-hostname>is the host name for the ADFS server.
Configure ADFS on the ADFS Server
For ADFS to work with Prisma Access, you must
add all configuration associated with mobile users as a Relying
Party Trust. Add this information by completing the following steps.
- Retrieve the list of URLs associated with the cloud-based portals and gateways.
- In Panorama, select , then selectMobile Users.
- Copy the URLs of thePortalsandGatewaysthat display.
- Add each Prisma Access portal and gateway as aRelying Party Trustto the Windows server.
- On the server running AD FS, start AD FS Management.
- In theNavigation Pane, expandTrust Relationships, and then selectRelying Party Trusts.
- On theActionsmenu located in the right column, selectAdd Relying Party Trust.
- In theAdd Relying Party Trust Wizardpage, selectClaims awareand clickStart.
- In theSelect Data Sourcepage, selectEnter data about the relying party manuallyand clickNext.
- In theSpecify Display Namepage, enter the name for the first relying party (one of the Prisma Access gateways or portals) and clickNext.This example specifies one of the cloudGatewaysfrom Prisma Access as a relying party.
- In theConfigure URLpage, enter the SAML single sign-on URL for the gateway; then clickNext.The URL is in the formathttps://<gateway-hostname>:443/SAML20/SP/ACS, where<gateway-hostname>is the name of the Prisma Access gateway you are configuring as a relying party trust.
- In theConfigure Identifierspage, enter the relying party trust identifier for the gateway; then clickNext.The relying party trust identifier URL is in the formathttps://<gateway-hostname>:443/SAML20/SP, where<gateway-hostname>is the name of the Prisma Access gateway you are configuring as a relying party trust.
- In theChoose Access Control Policypage, leave thePolicyasPermit everyoneand clickNext.
- ClickFinish.ADFS adds a newRelying Party Trustsentry.
- Add a rule to the relying party trust you created.
- In theRelying Party Trustspage, find the gateway you just added in the selections on the right, then selectEdit Claim Issuance Policy.
- In theEdit Claim Issuance Policypage, clickAdd Rule.
- In theSelect Rule Templatepage, selectSend LDAP attributes as Claimsas the Claim rule template and clickNext.
- In theConfigure Rulewindow, add anLDAP AttributeofSAML-Account-Nameand anOutgoing Claim TypeofName ID.By default, the Prisma Access portal and gateways expect to see theusernameattribute in the SAML response from the Identity Provider (IdP).
- ClickApplythen clickOK.
The gateway displays in the list ofRelying Party Trusts.
- (Optional) If you use a certificate issued by a Certificate Authority (CA), add it as a token signing certificate and enable IdP provider certificate validation on ADFS.
- Generate a certificate using your enterprise CA.
- Add the token signing certificate on ADFS.Use the instructions on the Microsoft website to add the certificate.
Configure ADFS on Panorama
Complete ADFS configuration by performing
the following steps in Panorama.
- In Panorama, select .Make sure that you selectMobile_User_Templatein theTemplatesarea.
- Importa new SAML Identity Provider.
- Give the profile aProfile Name.
- ClickBrowsenext to theIdentity Provider Metadatafield and import the federation metadata XML file you downloaded to your local machine in ADFS Server Prerequisites.
- (Optional) If you configured a CA-issued certificate in Configure ADFS on the ADFS Server, selectValidate Identity Provider Certificate.
- (Optional) if you are using a CA-issued certificate, import the certificate and create a certificate profile.
- Select andImportthe IdP root certificate into Panorama.
- Select andAdda certificate profile; then,AddaCA Certificate, specifying the certificate you just imported.
- Select andAdda new Authentication Profile, specifying the following options:
- Select the server type asSAML
- (Optional) If you configured a CA-issued certificate in Configure ADFS on the ADFS Server, select theCertificate Profilethat you created for the certificate; otherwise, leave the default ofNone.
Leave the other fields unchanged.
After you add the authentication profile, you can use it with portal and gateway authentication.To check authentication-related messages in the system logs, use a filter ofsubtype eq auth.
