: Configure SAML Users and Groups
Focus
Focus

Configure SAML Users and Groups

Table of Contents

Configure SAML Users and Groups

Let us learn to configure SAML users and groups in Prisma SD-WAN.
Configure SAML users and groups that includes configuring Palo Alto Networks groups, adding users to these groups, or mapping existing user groups to Palo Alto Networks roles.
Palo Alto Networks Customer Support performs the SAML pre-configuration. SAML access is available to all users except root users. The root user is only allowed to log in using a password.
  1. Select
    Manage
    System
    Access Management
    Tenant Access
    SAML Configurations
    .
  2. Enter the
    Session Timeout
    duration for a session in seconds.
    The default value is 3600 seconds.
    By default, Auto Create Operators
    and
    Auto Create Operator Roles
    are set to Yes. Users and roles are created automatically or modified as per IdP user groups.
    Mapping of custom role is optional. Refer Map Roles and Permissions to map roles for the end users.
    • If you choose to use Palo Alto Networks groups in your system, custom role mapping is not required. For example, Palo Alto Networks groups that may be used in your IdP system are
      cloudgenix_tenant_super
      ,
      cloudgenix tenant_iam_admin
      , or
      cloudgenix tenant_network_admin
      . Palo Alto Networks groups are mapped to Palo Alto Networks roles, such as
      tenant_<rolename>
      . For example,
      cloudgenix_tenant_super
      is mapped to
      tenant_super
      , and
      cloudgenix_tenant_ iam_admin
      is mapped to
      tenant_iam_admin
      .
    • If you prefer to use your own user groups, then you must provide Palo Alto Networks mapping between Palo Alto Networks roles and your user groups. For example,
      tenant_ super
      =
      admin
      ,
      tenant_viewonly
      =
      user
      , and so on.
    ID Provider Metadata
    automatically displays the configured IdP metadata and
    CloudGenix Metadata
    displays the configured Palo Alto Networks metadata.
  3. Save
    to make the configuration changes.
    The table below describes some of the error messages you may receive during SAML setup:
    Error Messages
    Resolution
    Single Sign On is denied because operator does not belong to any relevant roles.
    Map the appropriate roles to the user. See Map Roles and Permissions.
    Invalid SAML response sent by IdP.
    The SAML response format must be in the specified format. See Sample Response.
    Not Empty Message first_name.
    First name of the user cannot be left blank. Add a first name for the user. See Exchange SAML Metadata.

Recommended For You