Configure SAML Users and Groups
Table of Contents
Expand All
|
Collapse All
Prisma SD-WAN Docs
-
-
-
-
- AWS Transit Gateway
- Azure vWAN
- Azure vWAN with vION
- ChatBot for MS Teams
- ChatBot for Slack
- CloudBlades Integration with Prisma Access
- GCP NCC
- Service Now
- Zoom QSS
- Zscaler Internet Access
-
-
- ION 5.2
- ION 5.3
- ION 5.4
- ION 5.5
- ION 5.6
- ION 6.0
- ION 6.1
- ION 6.2
- ION 6.3
- ION 6.4
- New Features Guide
- On-Premises Controller
- Prisma Access CloudBlade Cloud Managed
- Prisma Access CloudBlade Panorama Managed
- Prisma SD-WAN CloudBlades
Configure SAML Users and Groups
Let us learn to configure SAML users and groups in Prisma
SD-WAN.
Where Can I Use This? | What Do I Need? |
---|---|
|
|
Configure SAML users and groups that includes configuring Palo Alto Networks groups, adding users
to these groups, or mapping existing user groups to Palo Alto Networks roles.
Palo
Alto Networks Customer Support performs the SAML pre-configuration.
SAML access is available to all users except root users. The root
user is only allowed to log in using a password.
- Select ManageSystemAccess ManagementTenant AccessSAML Configurations.Enter the Session Timeout duration for a session in seconds.The default value is 3600 seconds.By default, Auto Create Operators and Auto Create Operator Roles are set to Yes. Users and roles are created automatically or modified as per IdP user groups.Mapping of custom role is optional. Refer Map Roles and Permissions to map roles for the end users.
- If you choose to use Palo Alto Networks groups in your system, custom role mapping is not required. For example, Palo Alto Networks groups that may be used in your IdP system are cloudgenix_tenant_super, cloudgenix tenant_iam_admin, or cloudgenix tenant_network_admin. Palo Alto Networks groups are mapped to Palo Alto Networks roles, such as tenant_<rolename>. For example, cloudgenix_tenant_super is mapped to tenant_super, and cloudgenix_tenant_ iam_admin is mapped to tenant_iam_admin.
- If you prefer to use your own user groups, then you must provide Palo Alto Networks mapping between Palo Alto Networks roles and your user groups. For example, tenant_ super = admin, tenant_viewonly = user, and so on.
ID Provider Metadata automatically displays the configured IdP metadata and CloudGenix Metadata displays the configured Palo Alto Networks metadata.Save to make the configuration changes.The table below describes some of the error messages you may receive during SAML setup:Error Messages Resolution Single Sign On is denied because operator does not belong to any relevant roles. Map the appropriate roles to the user. See Map Roles and Permissions. Invalid SAML response sent by IdP. The SAML response format must be in the specified format. See Sample Response. Not Empty Message first_name. First name of the user cannot be left blank. Add a first name for the user. See Exchange SAML Metadata.