SAML Based Authentication
Table of Contents
Expand All
|
Collapse All
Prisma SD-WAN Docs
-
-
-
-
- AWS Transit Gateway
- Azure vWAN
- Azure vWAN with vION
- ChatBot for MS Teams
- ChatBot for Slack
- CloudBlades Integration with Prisma Access
- GCP NCC
- Service Now
- Zoom QSS
- Zscaler Internet Access
-
-
- ION 5.2
- ION 5.3
- ION 5.4
- ION 5.5
- ION 5.6
- ION 6.0
- ION 6.1
- ION 6.2
- ION 6.3
- ION 6.4
- New Features Guide
- On-Premises Controller
- Prisma Access CloudBlade Cloud Managed
- Prisma Access CloudBlade Panorama Managed
- Prisma SD-WAN CloudBlades
SAML Based Authentication
Learn how to authenticate users using SAML.
On-Premises Controller for Prisma SD-WAN supports SAML-based authentication to users
using the Operator’s console. When a non-local user tries to log in to the
Operator’s console, the user is directed to an Identity Provider (IdP) such as
Okta/Ping, where the IdP authenticates the user and then redirects the user to the
Operator’s console login page. After the redirect, the user can log in using the
provided email ID to access the console. After a non-local user logs in, the user is
auto-populated in User Management as a non-local user.
To initiate metadata exchange between controller and IdP:
- On the Operator’s console, navigate to Configuration SAML Configuration.On the SAML SP Settings, Download the metadata.The SP metadata is loaded automatically after a successful installation.Now, to import the SP settings in the IdP (Okta/Ping/..) navigate to IdP, and create a SAML SSO application with the SP metadata.Import the SP metadata in IdP.Save your changes.Download the SAML configuration.Go to SAML IDP Settings and import the downloaded SP metadata.In the Attributes mappings, the format of the attribute should be in an email format:
- saml_subject: User ID/Email Address
- opsui_role: Group Names or First Name of the user, configure an additional mandatory attribute opsui_role and the value should be group or user name where the user belongs to the admin role.
The IdP configuration maps users belonging to specific user groups to provide access.Save your changesAfter a non-local user logs in, the user is auto-populated in User Management as a non-local user.If a non-local user tries to log in to the Operator’s console, s/he will be directed to the IdP, where the IdP authenticates the user and then redirects the user to the Operator’s console login page. The user can log in using the email ID to access the on-premises controller.