Configure SAML Authentication for Prisma Access Using Okta Without the Prisma Access App

Log in to Panorama and configure the SAML signing certificate that you want to use with SAML 2.0.
Prisma Access requires a SAML certificate to sign SAML responses and assertions. You can either generate the signing SAML signing certificate used by the portal and gateways, or you can import it. Only a Panorama administrator or Superuser can generate or import this certificate.
To Generate a Certificate and export it:
Select

Device

Mobile_User_Template

Certificate Management

Certificates

Device Certificates

.

You can also create this certificate in another template, but you must include this certificate as part of the Mobile_User_Template_Stack to use it with the Prisma Access portal and gateways.

Click

Generate

.



Select the certificate, then click

Export Certificate

.



Export the certificate in PEM format.

Do not select the

Export private key

check box.


To Import a Certificate:
Select
Device
Mobile_User_Template
Certificate Management
Certificates
Device Certificates
.
Be sure to include this certificate as part of the Mobile_User_Template_Stack.
Click
Import
and enter a
Certificate Name
.
Select the
Shared
check box.
Enter the path and name of the
Certificate File
received from the CA, or
Browse
to find the file.
Click
OK
.
Log into Okta as an administrator and create SAML 2.0 applications for the portal and gateways.
To complete this step, you need to know the FQDNs of the portal and gateways. You can obtain the FQDNs in Panorama by selecting
Panorama
Cloud Services
Status
Network Details
and clicking the
Mobile Users
radio button. The FQDNs display in the
Gateways
area. Click
More
to see all gateways.

Create a new application integration for the Prisma Access portal. Specify the Platform Type as
Web
and the sign-on method as
SAML 2.0
and click
Create
.

Configure the following application integration options:
Single sign on URL
—Enter https://
<Portal-FQDN>
:443/SAML20/SP/ACS
Where
<Portal-FQDN>
is the FQDN for the Prisma Access portal.
Use this for Recipient URL and Destination URL
—Select this check box.
Allow this app to request other SSO URLs
—Clear this check box.
Audience URI (SP Entity ID)
—Enter https://
<Portal-FQDN>
:443/SAML20/SP.
Default RelayState
—Leave blank.
Name ID format
—Select
EmailAddress
.
Application username
—Select
Okta Username
.

Select
Show Advanced Settings
and configure these settings:
Response

and

Assertion Signature

—Select

Signed

(the default).

You must configure Okta to sign SAML responses and assertions.

Allow application to initiate Single Logout

—Select this check box.

Single Logout URL

—Enter https://

<Portal-FQDN>

:443/SAML20/SP/SLO

Where

<Portal-FQDN>

is the FQDN for the Prisma Access portal.

SP Issuer

—Enter the issuer for the service provider.

Signature Certificate

—

Browse

to and then select the SAML signing certificate that you configured in Step 1, then click

Upload Certificate

.


In the ATTRIBUTE STATEMENTS (OPTIONAL) area, specify users, Name formats, and values in Okta Expression Language.
These fields reference, transform and combine attributes to define the User-ID format when the format is created in the Palo Alto Networks next-generation firewall. For example, specify a name format of
Basic
and a Value of
user.firstName
.

(
Optional
) In the Group Attribute Statements (Optional) area, create group attribute options.
You can’t use group information that’s retrieved from the SAML assertion in either security policies or the agent client configuration in the portal and gateways. If you have a requirement to configure user group-based policies and configuration selections, you must Enable Group Mapping and retrieve the user group information from the LDAP server using Group Mapping Settings.
Save the configuration.
Create a new application integration for the Prisma Access gateways.
Specify the Platform Type as
Web
and the sign-on method as
SAML 2.0
and click
Create
.
Configure the following application options:
Single sign on URL
—Enter https://
<Cloud-Gateway-1-FQDN>
:443/SAML20/SP/ACS
Where
<Cloud-Gateway-1-FQDN>
is the FQDN for the Prisma Access gateway that is closest to the majority of your mobile users.
Use this for Recipient URL and Destination URL
—Select this check box.
Allow this app to request other SSO URLs
—Select this check box and add the hostnames for all Prisma Access gateways you have deployed in the Requestable SSO URL fields (https://<Cloud-Gateway-1-FQDN>:443/SAML20/SP/ACS, https://<Cloud-Gateway-2-FQDN>:443/SAML20/SP/ACS, and so on).
Audience URI (SP Entity ID)
—Enter the same gateway you specified for
Single sign on URL
(https://
<Cloud-Gateway-1-FQDN>
:443/SAML20/SP).
Default RelayState
—Leave blank.
Name ID format
—Select
EmailAddress
.
Application username
—Select
Okta Username
.

Select
Show Advanced Settings
and configure these settings:
Allow application to initiate Single Logout

—Select this check box.

Single Logout URL

—Enter https://

<Cloud-Gateway-1-FQDN>

:443/SAML20/SP/SLO

Where

<Cloud-Gateway-1-FQDN>

is the FQDN for the Prisma Access gateway that is the closest to the majority of your mobile users.

SP Issuer

—Enter the issuer for the service provider.

Signature Certificate

—

Browse

to and select the SAML signing certificate that you configured in Step 1, then click

Upload Certificate

.


In the ATTRIBUTE STATEMENTS (OPTIONAL) area, specify users, Name formats, and values in Okta Expression Language.
For example, specify a name format of
Basic
and a Value of
user.firstName
.

(
Optional
) In the Group Attribute Statements (Optional) area, create group attribute options.
You can’t use group information that’s retrieved from the SAML assertion in either security policies or the agent client configuration in the portal and gateways. If you have a requirement to configure user group-based policies and configuration selections, you must Enable Group Mapping and retrieve the user group information from the LDAP server using Group Mapping Settings.
Save the configuration.
Complete the configuration of the SAML 2.0 web application in Okta and enable the users to use the application. Click
View Setup Instructions
for details.
(
Optional
) If you use a certificate issued by a Certificate Authority (CA), configure it as the IdP certificate.
See the documentation on the Okta site for details.
To download the metadata files for the portal and gateways, click
Identity Provider metadata
and copy that information.

Import the metadata files for the portal and gateway to Panorama.
In Panorama, select

Device

Mobile_User_Template

Server Profiles

SAML Identity Provider

Import

the metadata file for the portal.

If you configured a CA-issued certificate in Step 6, select

Validate Identity Provider Certificate

.

To validate the IdP certificate, you must specify a Certificate Profile in any Authentication Profile that references the IdP server profile.



Enter the path and name of the

Identity Provider Metadata

received from the CA, or

Browse

to find the file.

Click

OK

.

Import the metadata file for the gateways by repeating Step 8.b to Step 9.b.

The SAML profiles display in the SAML Identity Provider window.


Create new authentication profiles for the portal and gateways.
Select
Device
Mobile_User_Template-
Authentication Profile
and
Add
an authentication profile for the portal, specifying the following options:
Specify a
Type
of
SAML
.
Specify the portal server profile you created in Step 8 as the
IdP Server Profile
.
Specify the certificate you created in Step 1 as the
Certificate for Signing Requests
.
(
Optional
) If you configured a CA-issued certificate in Step 6, add a
New
certificate profile or specify an existing one; otherwise, leave the default of
None
.
If you use a certificate profile, be sure that the name of the CA certificate in the
CA Certificates
area. You must set up the certificate profile with the CA that has issued the IdP certificate.

Click
OK
.
Create an authentication profile for the gateways, using Step 9.a to Step 8.d.
Update the Prisma Access portal and gateway to use the SAML authentication profile you just created.


Click
OK
twice to close the configuration.