>
    SAML Based Authentication
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma SD-WAN
    3. Understand Installation Workflow
    4. SAML Based Authentication
    Download PDF
    Prisma SD-WAN

    SAML Based Authentication

    Table of Contents

    SAML Based Authentication

    Learn how to authenticate users using SAML.
    On-Premises Controller for Prisma SD-WAN supports SAML-based authentication to users using the Operator’s console. When a non-local user tries to log in to the Operator’s console, the user is directed to an Identity Provider (IdP) such as Okta/Ping, where the IdP authenticates the user and then redirects the user to the Operator’s console login page. After the redirect, the user can log in using the provided email ID to access the console. After a non-local user logs in, the user is auto-populated in User Management as a non-local user.
    To initiate metadata exchange between controller and IdP:
    1. On the Operator’s console, navigate to Configuration SAML Configuration.
    2. On the SAML SP Settings, Download the metadata.
      The SP metadata is loaded automatically after a successful installation.
    3. Now, to import the SP settings in the IdP (Okta/Ping) navigate to IdP, and create a SAML SSO application with the SP metadata.
    4. Import the SP metadata in IdP.
    5. Save your changes.
    6. Download the SAML configuration.
    7. Go to SAML IDP Settings and import the downloaded SP metadata.
    8. In the Attributes mappings, the format of the attribute should be in an email format:
      • saml_subject: User ID/Email Address
      • opsui_role: Group Names or First Name of the user, configure an additional mandatory attribute opsui_role and the value should be group or user name where the user belongs to the admin role.
      The IdP configuration maps users belonging to specific user groups to provide access.
    9. Save your changes
      After a non-local user logs in, the user is auto-populated in User Management as a non-local user.
      If a non-local user tries to log in to the Operator’s console, the user is directed to the IdP, where the IdP authenticates the user and then redirects the user to the Operator’s console login page. The user can log in using the email ID to access the on-premises controller.

    Manage VFF License

    With the introduction of License Management in the Operator’s console, you can now update/modify the number of allowed virtual ION licenses for a particular model. This was earlier done using scripts/commands.
    1. Navigate to Machine OnboardingLicense Management.
    2. Add the allowed number of IONs for a model. The maximum allowed number of IONs per model is 100.
    3. Update the licenses.
    4. On the Administrator console, navigate to Systems License Management.
    5. Manage Tokens for the selected platform.
    6. Create Token.
    7. Select the Use Type and click Create.
      A secret token and ion key are generated, which can be used to connect a vION to the controller by adding the details in the .ini file.

    © 2025 Palo Alto Networks, Inc. All rights reserved.