Configure Azure AD SAML Authentication for Mobile User Deployments
To configure SAML authentication in
Azure AD, you must register your Prisma Access deployment with Azure
AD. Azure AD authentication is supported with Prisma Access GlobalProtect
and Explicit Proxy deployments.
You first configure SAML in
Azure AD, then import the metadata XML file (the file that contains
SAML registration information) from Azure AD and upload it to a
SAML
Identity Provider
you create in Panorama. You then create
an Authentication Profile
that references
the IdP server profile, add the authentication profile into the
Explicit Proxy or GlobalProtect configuration, and commit and push
your changes.This procedure assumes that you have a Microsoft
Azure AD account, can create and modify enterprise applications,
can set up a SAML Service Provider in Azure AD, and can download
SAML metadata XML files in Azure.
- Log in to Azure AD and open the enterprise application for either GlobalProtect or Explicit Proxy, depending on the deployment type.GlobalProtect has its own app in Azure AD; for Explicit Proxy, Palo Alto Networks does not have an existing enterprise application for Explicit Proxy and you must create one.Palo Alto Networks does not control your Azure AD setup and the UI might be different than these examples. For more information, refer to the Microsoft Azure documentation.
- GlobalProtect Deployments—Select ; then, search forPalo Alto Networks - GlobalProtectand select thePalo Alto Networks - GlobalProtectapplication.
- Explicit Proxy Deployments—Select and create aNew application; then, selectCreate your own application, give it aName, selectIntegrate any other application you don’t find in the gallery, andCreateit.
After you create the application, select it.
- Set up the Azure AD application.
- SelectSet up single sign onfrom the button or selectSingle sign onfrom the left navigation pane.
- In theBasic SAML Configurationarea, clickEdit.
- Enter the parameters for your Explicit Proxy or GlobalProtect deployment.
- Mobile Users—GlobalProtect Deployments—Enter the following parameters:
- In theIdentifier (Entity ID)area, enter a URL ofhttps://, whereportal-name:443/SAML20/SPportal-nameis the Mobile Users—GlobalProtect portal name (), and select that as theDefaultentity ID. is the Mobile Users—GlobalProtect host name, and select that as theDefaultidentifier.In addition, enter all gateway names () in the format ofhttps://.gateway-name:443/SAML20/SP
If you are configuring a standalone GlobalProtect deployment, you can use either the FQDN or IP address of the GlobalProtect portal as theportal-name. To find the FQDN or IP address, select . - In theReply URL (Assertion Consumer Service URL), re-enter the portal and gateway names, appending ACS to the URL names (https://andportal-name:443/SAML20/SP/ACShttps://, respectively). Specify the portal name as the default.gateway-name:443/SAML20/SP/ACS
- Explicit Proxy Deployments—Enter the following parameters:
- In theIdentifier (Entity ID)area, enter an Entity ID ofhttps://global.acs.prismaaccess.com/saml/metadataand select that as theDefaultidentifier.
- In theReply URL (Assertion Consumer Service URL), enter a SAML Assertion Consumer Service URL ofhttps://global.acs.prismaaccess.com/saml/acsand select that as theDefaultentity ID.
- In theSet Up Single Sign-On with SAMLpane, selectEditin theUser Attributes & Claimsarea.
- Enter the following values:
- Enteruser.userprincipalnameas theUnique User Identifier (Name ID).
- In theAdditional Claimsarea, add aClaim Nameofusernameand aValueofuser.userprincipalname.You must add this claim to ensure correct username-to-IP address mapping for authenticated users.
- From the left navigation pane, selectUsers and groupsandAdd user/groupthat require the Azure AD authentication.
- (Optional) If you use a certificate authority (CA)-issued certificate or any other certificate that requires that you validate it when you import the SAML IdP profile into Prisma Access, configure your identity provider certificate in Panorama and in Azure AD.If your deployment certificates issued by a CA for SAML authentication, or if the SAML certificate is part of your enterprise’s public key infrastructure (PKI), you must upload the certificate to Azure AD before you export the metadata XML file from Azure AD. If you do not upload the certificate, Panorama can not validate the certificate for use with Prisma Access. For more information about the steps you perform in Azure AD, refer to the Microsoft Azure documentation
- From the Panorama that manages Prisma Access, select and create a self-signed root CA certificate (if you have not done so already).
- Generate a certificate from your enterprise root CA as a subordinate certificate.Be sure to selectCertificate Authorityso that this certificate can be validated by the authentication profile you create in a later step.
- Select the certificate you created andExport Certificate.Because you need both the certificate and a certificate password for enhanced security, selectEncrypted Private Key and Certificate (PKC512)and enter aPassphrase.
- From Azure AD, in the SAML Signing Certificate area, selectEdit.
- Import Certificate.
- Select theCertificateyou exported from Panorama and enter thePFX Password, which is thePassphrase(password) you entered for the certificate.
- Select the certificate you uploaded andMake certificate active.
- (Optional) If you have another certificate uploaded, either deactivate it or delete it.For more information about uploading and activating certificates, refer to the Microsoft Azure documentation.
- Export the metadata XML file from Azure AD and save it to a client system from which you can upload it to Prisma Access by clickingDownloadin theFederation Metadata XMLarea.Prisma Access requires this XML file to retrieve the correct SAML attributes from Azure AD. You upload the file when you create the SAML IdP profile in Panorama.
- Log in to the Panorama that manages Prisma Access, add a SAML IdP server profile, and import the metadata XML file you downloaded to the profile.You import the SAML metadata file from Azure so that Prisma Access can automatically create a server profile and populate the connection, registration, and IdP certificate information.
- From the Panorama that manages Prisma Access, select .Make sure you are in theExplicit_Proxy_Template(for explicit proxy deployments) orMobile_User_Template(for GlobalProtect deployments).
- Enter aProfile Nameto identify the server profile.
- Importthe metadata XML file from Azure to the SAML IdP.
- (Optional) If you are using a CA-issued certificate for SAML authentication, selectValidate Identity Provider Certificate; otherwise, leave this choice deselected.Make sure that you have added the SAML certificate to Microsoft Azure in Step 3.
- Browseto theIdentity Provider Metadatafile.
- (Optional) Enter theMaximum Clock Skew, which is the allowed difference in seconds between the system times of the IdP and Prisma Access at the moment when Prisma Access validates IdP messages (default is 60; range is 1 to 900). If the difference exceeds this value, authentication fails.
- ClickOKto save the server profile.The metadata file updates the information for theIdentity Provider ID,Identity Profile SSO URL, andIdentity Provider SLO URL.
- Configure an authentication profile for Azure AD.The profile defines authentication settings that are common to a set of users.
- Select andAdda profile.Make sure that you are still in theExplicit_Proxy_Template(for explicit proxy deployments) orMobile_User_Template(for GlobalProtect deployments).
- Enter aNameto identify the profile.
- Set theTypetoSAML.
- Select theIdP Server Profileyou created.
- Enter theUsername Attributethat IdP messages use to identify users (defaultusername).
- SelectAdvancedandAddthe allow list of user‘s and user groups that can authenticate with this profile.SelectAllto allow all users to authenticate with this profile.
- ClickOKto save the authentication profile.
- CommitandPushyour changes.
- Add the authentication profile you created to the Explicit Proxy or GlobalProtect deployment.
- GlobalProtect Deployments—Select , select aHostnameorConfigurea new GlobalProtect configuration; then, select theAuthentication Profileyou created.After you commit and push your changes, you cannot make any changes to the authentication profile and authentication override certificate in this area and the choices become read-only. To make changes after initial onboarding, modify or add one or more GlobalProtect client authentication configurations under theMobile_User_Template.
- Explicit Proxy Deployments—Select , select aConnection NameorConfigurea new Explicit Proxy configuration; then, in theSettingstab, specify theAuthentication Profileyou created.
- CommitandPushyour changes.
- (Explicit Proxy Deployments Only) Configure the PAC file to bypass the URLs used for authentication with Explicit Proxy.Explicit Proxy provides you with a sample PAC file that you add to your end users’ browsers; you can modify this PAC file or edit an existing one.Palo Alto Networks recommends that you edit the PAC file to add the following Azure-specific URLs by bypass Explicit Proxy:
- *.microsoftonline.com
- *.azure.com
- *.msauth.net
- *.microsoftazuread-sso.com
- *.login.windows.net
- (Optional) Configure user and group mapping settings by associating the Cloud Identity Engine with Prisma Access.While you cannot authenticate users with Prisma Access using the Cloud Identity Engine, you can use the Cloud Identity Engine to simplify the retrieval of user and group information from Azure AD to enforce user- and group-based policy.
- Create a Cloud Identity Engine instance for Prisma Access, and make a note of the instance name.When you activate the Cloud Identity Engine, it creates an instance. You use the instance name when you associate the Cloud Identity Engine with Prisma Access in a later step. Optionally, if you need to create a separate instance for Prisma Access, create it and make a note of the instance name.
- Configure Azure Active Directory (Azure AD) in the Cloud Identity Engine to allow the Cloud Identity Engine to collect data from your Azure AD for policy enforcement and user visibility.See Configure Azure Active Directory in the Cloud Identity Engine Getting Started for details.To configure an Azure AD in the Cloud Identity Engine, you must have at least the following role privileges in Azure AD: Application Administrator and Cloud Application Administrator. For more information about roles in Azure AD, refer to the following link.
- Associate the Cloud Identity Engine with the Panorama app by logging in to the Palo Alto Networks hub and selecting the Panorama app.
- Complete the association by selecting theCloud Identity Engineinstance you want to associate with the app and clickOK.
- From the Panorama that manages Prisma Access, find the serial number of the Panorama Explicit Proxy deployment by selecting theDashboardand noting theSerial #that displays.
- Return to the Palo Alto Networks hub and selectPanorama; then, Find the serial number of the Panorama that manages Prisma Access, select it, then selectAdd Directory Sync.
- You do not need to select the Region; the Cloud Identity Engine uses the same region that Prisma Access uses for Cortex Data Lake.
- Return to the Panorama that manages Prisma Access, select or (for GlobalProtect deployments) or (for explicit proxy deployments), select the gear icon to edit theSettings, then selectGroup Mapping Settings.
- SelectEnable Directory Sync Integrationto enable Cloud Identity Engine with Prisma Access; then, enter the following information and clickOK:
- Specify aPrimary UsernameandE-Mailofmail.
- Specify anAlternate User Name 1ofuserPrincipalName.
- Complete the configuration of Explicit Proxy or GlobalProtect in Panorama, including creating security policy rules to enforce your organization’s security policies and adding the PAC file to the browsers on your end users’ endpoints.See Secure Mobile Users with an Explicit Proxy (for explicit proxy) or Secure Mobile Users With GlobalProtect (for GlobalProtect) in the Prisma Access Administrator’s Guide (Panorama Managed) for details. If you have already configured Explicit Proxy, skip this step.
- Verify that SAML authentication is working with Explicit Proxy.
- Set up a tool to capture authentication-related SAML messages from the mobile user’s endpoint.Most supported browsers have a tool you can use to capture SAML messages, such as a browser extension or plugin.You can perform an internet search for SAML debugging tools to find a SAML tracer extension or plugin for your mobile user’s preferred browser.
- From a mobile user’s endpoint, authenticate from a supported browser.
- GlobalProtect Deployments—Open the GlobalProtect app to find the GlobalProtectPortal; then, enter the portal URL in a supported browser.
- Explicit Proxy Deployments—Navigate from a supported browser to a website that is protected by Explicit Proxy.
- When you are challenged for authentication, verify that you are redirected to Azure AD and are presented with a login page.After you successfully authenticate to Azure AD, Azure AD redirects you to Prisma Access. Prisma Access then validates the SAML responses from Azure AD and the mobile user should be allowed to visit the website (for Explicit Proxy deployments) or you can successfully log in to the GlobalProtect portal (for GlobalProtect deployments).
- From Panorama, select and verify that the mobile user’s username is displayed in the Traffic, URL Filtering, and Authentication logs.
- (Optional) If the username is not displaying correctly in the logs, open a website that is protected by Explicit Proxy from another browser and capture the SAML response from Azure AD from that mobile user's browser using the tool you set up in Step 13.a.In the attribute forusername, the correct user name should be displayed.
- (Optional) If you are still not seeing correct user names, revisit the Azure AD configuration and make sure that you have set up claims correctly; in particular, make sure that you have set up the correct claim for username in Step 2.e, and retry the sign-on operation.
