Configure Azure AD SAML Authentication for Mobile User Deployments

To configure SAML authentication in Azure AD, you must register your Prisma Access deployment with Azure AD. Azure AD authentication is supported with Prisma Access GlobalProtect and Explicit Proxy deployments.
You first configure SAML in Azure AD, then import the metadata XML file (the file that contains SAML registration information) from Azure AD and upload it to a
SAML Identity Provider
you create in Panorama. You then create an
Authentication Profile
that references the IdP server profile, add the authentication profile into the Explicit Proxy or GlobalProtect configuration, and commit and push your changes.
This procedure assumes that you have a Microsoft Azure AD account, can create and modify enterprise applications, can set up a SAML Service Provider in Azure AD, and can download SAML metadata XML files in Azure.
  1. Log in to Azure AD and open the enterprise application for either GlobalProtect or Explicit Proxy, depending on the deployment type.
    GlobalProtect has its own app in Azure AD; for Explicit Proxy, Palo Alto Networks does not have an existing enterprise application for Explicit Proxy and you must create one.
    Palo Alto Networks does not control your Azure AD setup and the UI might be different than these examples. For more information, refer to the Microsoft Azure documentation.
    • GlobalProtect Deployments
      —Select
      Home
      Enterprise Applications
      ; then, search for
      Palo Alto Networks - GlobalProtect
      and select the
      Palo Alto Networks - GlobalProtect
      application.
    • Explicit Proxy Deployments
      —Select
      Home
      Enterprise Applications
      and create a
      New application
      ; then, select
      Create your own application
      , give it a
      Name
      , select
      Integrate any other application you don’t find in the gallery
      , and
      Create
      it.
      After you create the application, select it.
  2. Set up the Azure AD application.
    1. Select
      Set up single sign on
      from the button or select
      Single sign on
      from the left navigation pane.
    2. In the
      Basic SAML Configuration
      area, click
      Edit
      .
    3. Enter the parameters for your Explicit Proxy or GlobalProtect deployment.
      • Mobile Users—GlobalProtect Deployments
        —Enter the following parameters:
        • In the
          Identifier (Entity ID)
          area, enter an Entity ID of
          https://
          hostname
          :443/SAML20/SP
          , where
          hostname
          is the Mobile Users—GlobalProtect host name, and select that as the
          Default
          identifier.
          To find the GlobalProtect host name, select
          Panorama
          Cloud Services
          Configuration
          Mobile Users—GlobalProtect
          and make a note of the
          Hostname
          . If you are configuring a standalone GlobalProtect deployment, you can use either the FQDN or IP address of the GlobalProtect portal as the
          hostname
          . To find the FQDN or IP address, select
          Network
          Portal
          portal-config
          Agent
          agent-config
          External
          .
        • In the
          Reply URL (Assertion Consumer Service URL)
          , enter a SAML Assertion Consumer Service URL of
          https://
          hostname
          :443/SAML20/SP/ACS
          , where
          hostname
          is the Mobile Users—GlobalProtect host name, and select that as the
          Default
          entity ID.
      • Explicit Proxy Deployments
        —Enter the following parameters:
        • In the
          Identifier (Entity ID)
          area, enter an Entity ID of
          https://global.acs.prismaaccess.com/saml/metadata
          and select that as the
          Default
          identifier.
        • In the
          Reply URL (Assertion Consumer Service URL)
          , enter a SAML Assertion Consumer Service URL of
          https://global.acs.prismaaccess.com/saml/acs
          and select that as the
          Default
          entity ID.
    4. In the
      Set Up Single Sign-On with SAML
      pane, select
      Edit
      in the
      User Attributes & Claims
      area.
    5. Enter the following values:
      • Enter
        user.userprincipalname
        as the
        Unique User Identifier (Name ID)
        .
      • In the
        Additional Claims
        area, add a
        Claim Name
        of
        username
        and a
        Value
        of
        user.userprincipalname
        .
        You must add this claim to ensure correct username-to-IP address mapping for authenticated users.
    6. From the left navigation pane, select
      Users and groups
      and
      Add user/group
      that require the Azure AD authentication.
  3. (
    Optional
    ) If you use a certificate authority (CA)-issued certificate or any other certificate that requires that you validate it when you import the SAML IdP profile into Prisma Access, configure your identity provider certificate in Panorama and in Azure AD.
    If your deployment certificates issued by a CA for SAML authentication, or if the SAML certificate is part of your enterprise’s public key infrastructure (PKI), you must upload the certificate to Azure AD before you export the metadata XML file from Azure AD. If you do not upload the certificate, Panorama can not validate the certificate for use with Prisma Access. For more information about the steps you perform in Azure AD, refer to the Microsoft Azure documentation
    1. From the Panorama that manages Prisma Access, select
      Device
      Certificate Management
      Certificates
      Device Certificates
      and create a self-signed root CA certificate (if you have not done so already).
    2. Generate a certificate from your enterprise root CA as a subordinate certificate.
      Be sure to select
      Certificate Authority
      so that this certificate can be validated by the authentication profile you create in a later step.
    3. Select the certificate you created and
      Export Certificate
      .
      Because you need both the certificate and a certificate password for enhanced security, select
      Encrypted Private Key and Certificate (PKC512)
      and enter a
      Passphrase
      .
    4. From Azure AD, in the SAML Signing Certificate area, select
      Edit
      .
    5. Import Certificate
      .
    6. Select the
      Certificate
      you exported from Panorama and enter the
      PFX Password
      , which is the
      Passphrase
      (password) you entered for the certificate.
    7. Select the certificate you uploaded and
      Make certificate active
      .
    8. (
      Optional
      ) If you have another certificate uploaded, either deactivate it or delete it.
      For more information about uploading and activating certificates, refer to the Microsoft Azure documentation.
  4. Export the metadata XML file from Azure AD and save it to a client system from which you can upload it to Prisma Access by clicking
    Download
    in the
    Federation Metadata XML
    area.
    Prisma Access requires this XML file to retrieve the correct SAML attributes from Azure AD. You upload the file when you create the SAML IdP profile in Panorama.
  5. Log in to the Panorama that manages Prisma Access, add a SAML IdP server profile, and import the metadata XML file you downloaded to the profile.
    You import the SAML metadata file from Azure so that Prisma Access can automatically create a server profile and populate the connection, registration, and IdP certificate information.
    1. From the Panorama that manages Prisma Access, select
      Device
      Server Profiles
      SAML Identity Provider
      .
      Make sure you are in the
      Explicit_Proxy_Template
      (for explicit proxy deployments) or
      Mobile_User_Template
      (for GlobalProtect deployments).
    2. Enter a
      Profile Name
      to identify the server profile.
    3. Import
      the metadata XML file from Azure to the SAML IdP.
    4. (
      Optional
      ) If you are using a CA-issued certificate for SAML authentication, select
      Validate Identity Provider Certificate
      ; otherwise, leave this choice deselected.
      Make sure that you have added the SAML certificate to Microsoft Azure in Step 3.
    5. Browse
      to the
      Identity Provider Metadata
      file.
    6. (
      Optional
      ) Enter the
      Maximum Clock Skew
      , which is the allowed difference in seconds between the system times of the IdP and Prisma Access at the moment when Prisma Access validates IdP messages (default is 60; range is 1 to 900). If the difference exceeds this value, authentication fails.
    7. Click
      OK
      to save the server profile.
      The metadata file updates the information for the
      Identity Provider ID
      ,
      Identity Profile SSO URL
      , and
      Identity Provider SLO URL
      .
  6. Configure an authentication profile for Azure AD.
    The profile defines authentication settings that are common to a set of users.
    1. Select
      Device
      Authentication Profile
      and
      Add
      a profile.
      Make sure that you are still in the
      Explicit_Proxy_Template
      (for explicit proxy deployments) or
      Mobile_User_Template
      (for GlobalProtect deployments).
    2. Enter a
      Name
      to identify the profile.
    3. Set the
      Type
      to
      SAML
      .
    4. Select the
      IdP Server Profile
      you created.
    5. Enter the
      Username Attribute
      that IdP messages use to identify users (default
      username
      ).
    6. Select
      Advanced
      and
      Add
      the allow list of user‘s and user groups that can authenticate with this profile.
      Select
      All
      to allow all users to authenticate with this profile.
    7. Click
      OK
      to save the authentication profile.
  7. Commit
    and
    Push
    your changes.
  8. Add the authentication profile you created to the Explicit Proxy or GlobalProtect deployment.
    • GlobalProtect Deployments
      —Select
      Panorama
      Cloud Services
      Configuration
      Mobile Users—GlobalProtect
      , select a
      Hostname
      or
      Configure
      a new GlobalProtect configuration; then, select the
      Authentication Profile
      you created.
      After you commit and push your changes, you cannot make any changes to the authentication profile and authentication override certificate in this area and the choices become read-only. To make changes after initial onboarding, modify or add one or more GlobalProtect client authentication configurations under the
      Mobile_User_Template
      .
    • Explicit Proxy Deployments
      —Select
      Panorama
      Cloud Services
      Configuration
      Mobile Users—Explicit Proxy
      , select a
      Connection Name
      or
      Configure
      a new Explicit Proxy configuration; then, in the
      Settings
      tab, specify the
      Authentication Profile
      you created.
  9. Commit
    and
    Push
    your changes.
  10. (
    Explicit Proxy Deployments Only
    ) Configure the PAC file to bypass the URLs used for authentication with Explicit Proxy.
    Explicit Proxy provides you with a sample PAC file that you add to your end users’ browsers; you can modify this PAC file or edit an existing one.
    Palo Alto Networks recommends that you edit the PAC file to add the following Azure-specific URLs by bypass Explicit Proxy:
    • *.microsoftonline.com
    • *.azure.com
    • *.msauth.net
    • *.microsoftazuread-sso.com
    • *.login.windows.net
  11. (
    Optional
    ) Configure user and group mapping settings by associating the Cloud Identity Engine with Prisma Access.
    While you cannot authenticate users with Prisma Access using the Cloud Identity Engine, you can use the Cloud Identity Engine to simplify the retrieval of user and group information from Azure AD to enforce user- and group-based policy.
    1. Create a Cloud Identity Engine instance for Prisma Access, and make a note of the instance name.
      When you activate the Cloud Identity Engine, it creates an instance. You use the instance name when you associate the Cloud Identity Engine with Prisma Access in a later step. Optionally, if you need to create a separate instance for Prisma Access, create it and make a note of the instance name.
    2. Configure Azure Active Directory (Azure AD) in the Cloud Identity Engine to allow the Cloud Identity Engine to collect data from your Azure AD for policy enforcement and user visibility.
      To configure an Azure AD in the Cloud Identity Engine, you must have at least the following role privileges in Azure AD: Application Administrator and Cloud Application Administrator. For more information about roles in Azure AD, refer to the following link.
    3. Associate the Cloud Identity Engine with the Panorama app by logging in to the Palo Alto Networks hub and selecting the Panorama app.
    4. Complete the association by selecting the
      Cloud Identity Engine
      instance you want to associate with the app and click
      OK
      .
    5. From the Panorama that manages Prisma Access, find the serial number of the Panorama Explicit Proxy deployment by selecting the
      Dashboard
      and noting the
      Serial #
      that displays.
    6. Return to the Palo Alto Networks hub and select
      Panorama
      ; then, Find the serial number of the Panorama that manages Prisma Access, select it, then select
      Add Directory Sync
      .
    7. Enter the
      Directory Sync
      instance you created in Step 11.a and click
      OK
      .
      You do not need to select the Region; the Cloud Identity Engine uses the same region that Prisma Access uses for Cortex Data Lake.
    8. Return to the Panorama that manages Prisma Access, select or
      Panorama
      Cloud Services
      Configuration
      Mobile Users—GlobalProtect
      (for GlobalProtect deployments) or
      Panorama
      Cloud Services
      Configuration
      Mobile Users—Explicit Proxy
      (for explicit proxy deployments), select the gear icon to edit the
      Settings
      , then select
      Group Mapping Settings
      .
    9. Select
      Enable Directory Sync Integration
      to enable Cloud Identity Engine with Prisma Access; then, enter the following information and click
      OK
      :
      • Specify a
        Primary Username
        and
        E-Mail
        of
        mail
        .
      • Specify an
        Alternate User Name 1
        of
        userPrincipalName
        .
  12. Complete the configuration of Explicit Proxy or GlobalProtect in Panorama, including creating security policy rules to enforce your organization’s security policies and adding the PAC file to the browsers on your end users’ endpoints.
    See Secure Mobile Users with an Explicit Proxy (for explicit proxy) or Secure Mobile Users With GlobalProtect (for GlobalProtect) in the Prisma Access Administrator’s Guide (Panorama Managed) for details. If you have already configured Explicit Proxy, skip this step.
  13. Verify that SAML authentication is working with Explicit Proxy.
    1. Set up a tool to capture authentication-related SAML messages from the mobile user’s endpoint.
      Most supported browsers have a tool you can use to capture SAML messages, such as a browser extension or plugin.
      You can perform an internet search for SAML debugging tools to find a SAML tracer extension or plugin for your mobile user’s preferred browser.
    2. From a mobile user’s endpoint, authenticate from a supported browser.
      • GlobalProtect Deployments
        —Open the GlobalProtect app to find the GlobalProtect
        Portal
        ; then, enter the portal URL in a supported browser.
      • Explicit Proxy Deployments
        —Navigate from a supported browser to a website that is protected by Explicit Proxy.
    3. When you are challenged for authentication, verify that you are redirected to Azure AD and are presented with a login page.
      After you successfully authenticate to Azure AD, Azure AD redirects you to Prisma Access. Prisma Access then validates the SAML responses from Azure AD and the mobile user should be allowed to visit the website (for Explicit Proxy deployments) or you can successfully log in to the GlobalProtect portal (for GlobalProtect deployments).
    4. From Panorama, select
      Monitor
      Logs
      and verify that the mobile user’s username is displayed in the Traffic, URL Filtering, and Authentication logs.
    5. (
      Optional
      ) If the username is not displaying correctly in the logs, open a website that is protected by Explicit Proxy from another browser and capture the SAML response from Azure AD from that mobile user's browser using the tool you set up in Step 13.a.
      In the attribute for
      username
      , the correct user name should be displayed.
    6. (
      Optional
      ) If you are still not seeing correct user names, revisit the Azure AD configuration and make sure that you have set up claims correctly; in particular, make sure that you have set up the correct claim for username in Step 2.e, and retry the sign-on operation.

Recommended For You