Configure SAML Users and Groups
Table of Contents
Expand all | Collapse all
-
-
- Add a Branch
- Add a Data Center
- Add a Branch Gateway
- Configure Circuits
- Configure Internet Circuit Underlay Link Aggregation
- Configure Private WAN Underlay Link Quality Aggregation
- Configure Circuit Categories
- Configure Device Initiated Connections for Circuits
- Add Public IP LAN Address to Enterprise Prefixes
- Manage Data Center Clusters
- Configure a Site Prefix
- Configure a DHCP Server
- Configure NTP for Prisma SD-WAN
- Configure the ION Device at a Branch Site
- Configure the ION Device at a Data Center
- Switch a Site to Control Mode
- Allow IP Addresses in Firewall Configuration
-
- Configure a Controller Port
- Configure Internet Ports
- Configure WAN/LAN Ports
- Configure a Loopback Interface
- Configure a PoE Port
- Configure and Monitor LLDP Activity and Status
- Configure a PPPoE Interface
- Configure a Layer 3 LAN Interface
- Configure Application Reachability Probes
- Configure a Secondary IP Address
- Configure a Static ARP
- Configure a DHCP Relay
- Configure IP Directed Broadcast
- VPN Keep-Alives
-
- Configure Prisma SD-WAN IPFIX
- Configure IPFIX Profiles and Templates
- Configure and Attach a Collector Context to a Device Interface in IPFIX
- Configure and Attach a Filter Context to a Device Interface in IPFIX
- Configure Global and Local IPFIX Prefixes
- Flow Information Elements
- Options Information Elements
- Configure the DNS Service on the Prisma SD-WAN Interface
- Configure SNMP
-
-
- Prisma SD-WAN Branch Routing
- Prisma SD-WAN Data Center Routing
-
- Configure Multicast
- Create a WAN Multicast Configuration Profile
- Assign WAN Multicast Configuration Profiles to Branch Sites
- Configure a Multicast Source at a Branch Site
- Configure Global Multicast Parameters
- Configure a Multicast Static Rendezvous Point (RP)
- Learn Rendezvous Points (RPs) Dynamically
- View LAN Statistics for Multicast
- View WAN Statistics for Multicast
- View IGMP Membership
- View the Multicast Route Table
- View Multicast Flow Statistics
- View Routing Statistics
- Prisma SD-WAN Incident Policies
-
- Prisma SD-WAN Branch HA Key Concepts
- Configure Branch HA
- Configure HA Groups
- Add ION Devices to HA Groups
- View Device Configuration of HA Groups
- Edit HA Groups and Group Membership
-
- Configure Branch HA with Gen-1 Platforms (2000, 3000, 7000, and 9000)
- Configure Branch HA with Gen-2 Platforms (3200, 5200, and 9200)
- Configure Branch HA with Gen-2 Embedded Switch Platforms (1200-S or 3200-L2)
- Configure Branch HA for Devices with Software Cellular Bypass (1200-S-C-5G)
- Configure Branch HA for Platforms without Bypass Pairs
- Prisma SD-WAN Incidents and Alerts
Configure SAML Users and Groups
Let us learn to configure SAML users and groups in Prisma
SD-WAN.
Where Can I Use This? | What Do I Need? |
---|---|
|
|
Configure SAML users and groups that includes configuring Palo Alto Networks groups, adding users
to these groups, or mapping existing user groups to Palo Alto Networks roles.
Palo
Alto Networks Customer Support performs the SAML pre-configuration.
SAML access is available to all users except root users. The root
user is only allowed to log in using a password.
- Select ManageSystemAccess ManagementTenant AccessSAML Configurations.
- Enter the Session Timeout duration
for a session in seconds. The default value is 3600 seconds.By default, Auto Create Operators and Auto Create Operator Roles are set to Yes. Users and roles are created automatically or modified as per IdP user groups.Mapping of custom role is optional. Refer Map Roles and Permissions to map roles for the end users.
- If you choose to use Palo Alto Networks groups in your system, custom role mapping is not required. For example, Palo Alto Networks groups that may be used in your IdP system are cloudgenix_tenant_super, cloudgenix tenant_iam_admin, or cloudgenix tenant_network_admin. Palo Alto Networks groups are mapped to Palo Alto Networks roles, such as tenant_<rolename>. For example, cloudgenix_tenant_super is mapped to tenant_super, and cloudgenix_tenant_ iam_admin is mapped to tenant_iam_admin.
- If you prefer to use your own user groups, then you must provide Palo Alto Networks mapping between Palo Alto Networks roles and your user groups. For example, tenant_ super = admin, tenant_viewonly = user, and so on.
ID Provider Metadata automatically displays the configured IdP metadata and CloudGenix Metadata displays the configured Palo Alto Networks metadata. - Save to make the configuration
changes.The table below describes some of the error messages you may receive during SAML setup:
Error Messages Resolution Single Sign On is denied because operator does not belong to any relevant roles. Map the appropriate roles to the user. See Map Roles and Permissions. Invalid SAML response sent by IdP. The SAML response format must be in the specified format. See Sample Response. Not Empty Message first_name. First name of the user cannot be left blank. Add a first name for the user. See Exchange SAML Metadata.