SAML Authentication Using Okta as IdP for Mobile Users
You can use Security Assertion Markup Language (SAML) 2.0 to authenticate
Prisma Access mobile users. When using SAML 2.0, the Prisma Access
portal and gateways act as SAML Service Provider (SP). You can use
any vendor that supports SAML 2.0 as SAML identity provider (IdP).
There
are two different procedures you can take to use SAML authentication with
Okta in Prisma Access.
- If you are able to access the Palo Alto Networks—Prisma Access app in Okta, use the steps in Configure SAML Authentication for Prisma Access Using Okta With the Prisma Access App to configure Okta authentication with Prisma Access. This procedure simplifies the SAML authentication process because you do not have to enter each gateway name manually in Okta.
- If you cannot access the Palo Alto Networks - Prisma Access app in Okta, you must configure each gateway manually in Okta. See Configure SAML Authentication for Prisma Access Using Okta Without the Prisma Access App for details.
Complete
this task to configure SAML 2.0 in Prisma Access by using Okta as
the IdP.
Configure SAML Authentication for Prisma Access Using Okta
With the Prisma Access App
If you are able to access the Palo Alto Networks—Prisma Access
app in Okta, use the steps in this procedure to configure SAML authentication using
Prisma Access.
- Log in to the Panorama that manages Prisma Access and configure the SAML signing certificate that you want to use with SAML 2.0.Prisma Access requires a SAML certificate to sign SAML responses and assertions. You can either generate the signing SAML signing certificate used by the portal and gateways, or you can import it. Only a Panorama administrator or Superuser can generate or import this certificate.
- To Generate a Certificate and export it:
- Select.DeviceMobile_User_TemplateCertificate ManagementCertificatesDevice CertificatesYou can also create this certificate in another template, but you must include this certificate as part of the Mobile_User_Template_Stack to use it with the Prisma Access portal and gateways.
- ClickGenerate.
- Select the certificate, then clickExport Certificate.
- Select.DeviceMobile_User_TemplateCertificate ManagementCertificatesDevice CertificatesBe sure to include this certificate as part of the Mobile_User_Template_Stack.
- ClickImportand enter aCertificate Name.
- Select theSharedcheck box.
- Enter the path and name of theCertificate Filereceived from the CA, orBrowseto find the file.
- ClickOK.
- Find the portal and gateway FQDNs to use as your Unique Gateway ID in Okta.For gateways, you a truncated FQDN that you take from the gateway FQDNs. For portals, you use the entire FQDN. You use the portal and gateway FQDNs when you configure Okta in a later step.
- Selectand click either thePanoramaCloud ServicesStatusNetwork DetailsMobile UsersorMobile Users - GlobalProtectradio button, depending on your deployment.
- In thePortalsarea, make a note of the full Portal hostname.
- In theGatewaysarea, take the gateway name and make a note of the data between the last dash in the gateway name and.gw.gpcloudservice.com.For example:
- Given a gateway name ofindia-west-acme.gp123abc.gw.gpcloudservice.com, make a note of the truncated FQDNacme.gp123abc.
- Given a gateway name ofuzbekistan-acme.gp123abc.gw.gpcloudservice.com, make a note of the truncated FQDNacme.gp123abc.
- Given a gateway name ofus-northwest-g-acme.gp123abc.gw.gpcloudservice.com, make a note of the truncated FQDNacme.gp123abc.
- Use the Palo Alto Networks - Prisma Access app to configure SAML login settings.The Prisma Access app is part of the Okta Integration Network (OIN) and simplifies the Prisma Access SAML authentication process.If you cannot access the Palo Alto Networks - Prisma Access app, you must configure each gateway manually in Okta by completing the procedure in Configure SAML Authentication for Prisma Access Using Okta Without the Prisma Access App.
- Log in to Okta.Make sure that you are logged in to theClassic UIand not theDeveloper Console.
- SelectApplications; then,Add Applicationand search forPrisma Access.
- SelectPalo Alto Networks - Prisma Access.
- Addthe app.
- Click theGeneraltab and, in the General Settings area, enter the following information, then clickDone:You do not need to enter any information in the Mobile, Import, or Assignments tabs; you configure sign on values in the Sign On tab in a later step.
- Complete the configuration of the SAML 2.0 web application in Okta and enable the users to use the application. Use the link on the Okta site https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-Palo-Alto-Networks-Prisma-Access.html for details.
- (Optional) If you use a certificate issued by a Certificate Authority (CA), configure it as the IdP certificate.See the link on the Okta site https://developer.okta.com/docs/guides/sign-your-own-saml-csr/overview/ for details.
- To download the metadata files for the portal and gateways, click theSign Ontab, then selectIdentity Provider metadataand copy that information.
- Import the metadata files for the portal and gateway to Panorama.
- In Panorama, selectDeviceMobile_User_TemplateServer ProfilesSAML Identity Provider
- Importthe metadata file for the portal.If you configured a CA-issued certificate, selectValidate Identity Provider Certificate; otherwise, deselect this choice.To validate the IdP certificate, you must specify a Certificate Profile in any Authentication Profile that references the IdP server profile.
- Enter the path and name of theIdentity Provider Metadatareceived from the CA, orBrowseto find the file.
- ClickOK.
- Create new authentication profiles for the portal and gateways.
- SelectandDeviceMobile_User_Template-Authentication ProfileAddan authentication profile for the portal, specifying the following options:
- Specify aTypeofSAML.
- Specify the portal server profile you created in Step 7 as theIdP Server Profile.
- Specify the certificate you created in Step 1 as theCertificate for Signing Requests.
- (Optional) If you configured a CA-issued certificate in Step 5, add aNewcertificate profile or specify an existing one; otherwise, leave the default ofNone.If you use a certificate profile, be sure that the name of the CA certificate in theCA Certificatesarea. You must set up the certificate profile with the CA that has issued the IdP certificate.
- ClickOK.
- Update the Prisma Access portal and gateway to use the SAML authentication profile you just created.
- ClickOKtwice to close the configuration.
Configure SAML Authentication for Prisma Access Using Okta
Without the Prisma Access App
If you are not able to use the Palo Alto Networks—Prisma Access
app in Okta, use the following steps to configure SAML authentication
using Okta. This procedure requires you enter the gateway names
manually in Okta.
- Log in to Panorama and configure the SAML signing certificate that you want to use with SAML 2.0.Prisma Access requires a SAML certificate to sign SAML responses and assertions. You can either generate the signing SAML signing certificate used by the portal and gateways, or you can import it. Only a Panorama administrator or Superuser can generate or import this certificate.
- To Generate a Certificate and export it:
- Select.DeviceMobile_User_TemplateCertificate ManagementCertificatesDevice CertificatesYou can also create this certificate in another template, but you must include this certificate as part of the Mobile_User_Template_Stack to use it with the Prisma Access portal and gateways.
- ClickGenerate.
- Select the certificate, then clickExport Certificate.
- Select.DeviceMobile_User_TemplateCertificate ManagementCertificatesDevice CertificatesBe sure to include this certificate as part of the Mobile_User_Template_Stack.
- ClickImportand enter aCertificate Name.
- Select theSharedcheck box.
- Enter the path and name of theCertificate Filereceived from the CA, orBrowseto find the file.
- ClickOK.
- Log into Okta as an administrator and create SAML 2.0 applications for the portal and gateways.To complete this step, you need to know the FQDNs of the portal and gateways. You can obtain the FQDNs in Panorama by selectingand clicking thePanoramaCloud ServicesStatusNetwork DetailsMobile Usersradio button. The FQDNs display in theGatewaysarea. ClickMoreto see all gateways.
- Create a new application integration for the Prisma Access portal. Specify the Platform Type asWeband the sign-on method asSAML 2.0and clickCreate.
- Configure the following application integration options:
- Single sign on URL—Enter https://<Portal-FQDN>:443/SAML20/SP/ACSWhere<Portal-FQDN>is the FQDN for the Prisma Access portal.
- Use this for Recipient URL and Destination URL—Select this check box.
- Allow this app to request other SSO URLs—Clear this check box.
- Audience URI (SP Entity ID)—Enter https://<Portal-FQDN>:443/SAML20/SP.
- Default RelayState—Leave blank.
- Name ID format—SelectEmailAddress.
- Application username—SelectOkta Username.
- SelectShow Advanced Settingsand configure these settings:
- ResponseandAssertion Signature—SelectSigned(the default).You must configure Okta to sign SAML responses and assertions.
- Allow application to initiate Single Logout—Select this check box.
- Single Logout URL—Enter https://<Portal-FQDN>:443/SAML20/SP/SLOWhere<Portal-FQDN>is the FQDN for the Prisma Access portal.
- SP Issuer—Enter the issuer for the service provider.
- Signature Certificate—Browseto and then select the SAML signing certificate that you configured in Step 1, then clickUpload Certificate.
- In the ATTRIBUTE STATEMENTS (OPTIONAL) area, specify users, Name formats, and values in Okta Expression Language.These fields reference, transform and combine attributes to define the User-ID format when the format is created in the Palo Alto Networks next-generation firewall. For example, specify a name format ofBasicand a Value ofuser.firstName.
- (Optional) In the Group Attribute Statements (Optional) area, create group attribute options.You can’t use group information that’s retrieved from the SAML assertion in either security policies or the agent client configuration in the portal and gateways. If you have a requirement to configure user group-based policies and configuration selections, you must Enable Group Mapping and retrieve the user group information from the LDAP server using Group Mapping Settings.
- Save the configuration.
- Create a new application integration for the Prisma Access gateways.Specify the Platform Type asWeband the sign-on method asSAML 2.0and clickCreate.
- Configure the following application options:
- Single sign on URL—Enter https://<Cloud-Gateway-1-FQDN>:443/SAML20/SP/ACSWhere<Cloud-Gateway-1-FQDN>is the FQDN for the Prisma Access gateway that is closest to the majority of your mobile users.
- Use this for Recipient URL and Destination URL—Select this check box.
- Allow this app to request other SSO URLs—Select this check box and add the hostnames for all Prisma Access gateways you have deployed in the Requestable SSO URL fields (https://<Cloud-Gateway-1-FQDN>:443/SAML20/SP/ACS, https://<Cloud-Gateway-2-FQDN>:443/SAML20/SP/ACS, and so on).
- Audience URI (SP Entity ID)—Enter the same gateway you specified forSingle sign on URL(https://<Cloud-Gateway-1-FQDN>:443/SAML20/SP).
- Default RelayState—Leave blank.
- Name ID format—SelectEmailAddress.
- Application username—SelectOkta Username.
- SelectShow Advanced Settingsand configure these settings:
- Allow application to initiate Single Logout—Select this check box.
- Single Logout URL—Enter https://<Cloud-Gateway-1-FQDN>:443/SAML20/SP/SLOWhere<Cloud-Gateway-1-FQDN>is the FQDN for the Prisma Access gateway that is the closest to the majority of your mobile users.
- SP Issuer—Enter the issuer for the service provider.
- Signature Certificate—Browseto and select the SAML signing certificate that you configured in Step 1, then clickUpload Certificate.
- In the ATTRIBUTE STATEMENTS (OPTIONAL) area, specify users, Name formats, and values in Okta Expression Language.For example, specify a name format ofBasicand a Value ofuser.firstName.
- (Optional) In the Group Attribute Statements (Optional) area, create group attribute options.You can’t use group information that’s retrieved from the SAML assertion in either security policies or the agent client configuration in the portal and gateways. If you have a requirement to configure user group-based policies and configuration selections, you must Enable Group Mapping and retrieve the user group information from the LDAP server using Group Mapping Settings.
- Save the configuration.
- Complete the configuration of the SAML 2.0 web application in Okta and enable the users to use the application. ClickView Setup Instructionsfor details.
- (Optional) If you use a certificate issued by a Certificate Authority (CA), configure it as the IdP certificate.See the documentation on the Okta site for details.
- To download the metadata files for the portal and gateways, clickIdentity Provider metadataand copy that information.
- Import the metadata files for the portal and gateway to Panorama.
- In Panorama, selectDeviceMobile_User_TemplateServer ProfilesSAML Identity Provider
- Importthe metadata file for the portal.If you configured a CA-issued certificate in Step 6, selectValidate Identity Provider Certificate.To validate the IdP certificate, you must specify a Certificate Profile in any Authentication Profile that references the IdP server profile.
- Enter the path and name of theIdentity Provider Metadatareceived from the CA, orBrowseto find the file.
- ClickOK.
- Create new authentication profiles for the portal and gateways.
- SelectandDeviceMobile_User_Template-Authentication ProfileAddan authentication profile for the portal, specifying the following options:
- Specify aTypeofSAML.
- Specify the portal server profile you created in Step 8 as theIdP Server Profile.
- Specify the certificate you created in Step 1 as theCertificate for Signing Requests.
- (Optional) If you configured a CA-issued certificate in Step 6, add aNewcertificate profile or specify an existing one; otherwise, leave the default ofNone.If you use a certificate profile, be sure that the name of the CA certificate in theCA Certificatesarea. You must set up the certificate profile with the CA that has issued the IdP certificate.
- ClickOK.
- Update the Prisma Access portal and gateway to use the SAML authentication profile you just created.
- ClickOKtwice to close the configuration.
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.