Configure SAML Users and Groups

Let us learn to configure SAML users and groups in Prisma SD-WAN.
Confgure SAML users and groups that includes configuring Palo Alto Networks groups, adding users to these groups, or mapping existing user groups to Palo Alto Networks roles.
Palo Alto Networks Customer Support performs the SAML pre-configuration. SAML access is available to all users except root users. The root user is only allowed to log in using a password.
  1. From the Prisma SD-WAN web interface, select
    System Administration
    AAA Configuration
    .
    SAML access is enabled by default.
    Configured Domain
    displays the configured IdP domain name and
    Admin Email
    displays the entered email ID of the Palo Alto Networks Customer Support. Login URL displays your IdP URL.
  2. Enter the
    Session Timeout
    duration for a session in seconds.
    The default value is 3600 seconds.
    By default, Auto Create Operators
    and
    Auto Create Operator Roles
    are set to Yes. Users and roles are created automatically or modified as per IdP user groups.
    Mapping of custom role is optional. Refer Map Roles and Permissions to map roles for the end users.
    • If you choose to use Palo Alto Networks groups in your system, custom role mapping is not required. For example, Palo Alto Networks groups that may be used in your IdP system are
      cloudgenix_tenant_super
      ,
      cloudgenix tenant_iam_admin
      , or
      cloudgenix tenant_network_admin
      . Palo Alto Networks groups are mapped to Palo Alto Networks roles, such as
      tenant_<rolename>
      . For example,
      cloudgenix_tenant_super
      is mapped to
      tenant_super
      , and
      cloudgenix_tenant_ iam_admin
      is mapped to
      tenant_iam_admin
      .
    • If you prefer to use your own user groups, then you must provide Palo Alto Networks mapping between Palo Alto Networks roles and your user groups. For example,
      tenant_ super
      =
      admin
      ,
      tenant_viewonly
      =
      user
      , and so on.
    ID Provider Metadata
    automatically displays the configured IdP metadata and
    CloudGenix Metadata
    displays the configured Palo Alto Networks metadata.
  3. Save
    to make the configuration changes.

Recommended For You