Enable SAML Access to End Users
Table of Contents
Enable SAML Access to End Users
Let us learn to enable SAML access to end users.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
SAML access is automatically enabled for new
SAML users. When a SAML user logs in for the first time, the account
is created and by default the user type is set to SAML.
- Navigate to .Confirm that Auto Create Operators and Auto Create Operator Roles are toggled to Yes.
- If Auto Create Operators and Auto Create Operator Roles are selected:
- New operator is not created if system role is not assigned to the operator.
- System role is already assigned to an existing end user, no changes are made to the existing end user.
- If Auto Create Operators is selected but the Auto Create Operator Roles is not selected:
- A new operator is created, but will not be able to log in due to insufficient roles or permissions. An IAM administrator has to manually assign roles to the operator using User Management on the Prisma SD-WAN web interface.
- An existing end user can log in, if the correct role was assigned earlier, or else receives an error due to insufficient roles and permissions. For more information on groups and role assignments, refer Map Roles and Permissions.
Verify SAML access by ensuring that user-to-role mapping is accurate and test SAML-based login and authentication.Authentication fails if the name ID and user role are not provided. The SAML response must include the user’s name ID, first name, last name, and group membership. If authentication fails, the SSO page displays an error message and prompt the user for re-authentication.Enable SAML Access for Existing Users
You can enable SAML access for existing users. You can change the existing local type user to SAML on the User Administration page. The user account must be added in your IdP server to allow the user to login as a SAML user.- Navigate to .Select the user to enable SAML access and Edit the user attributes.Change the user Type to SAML.Save your changes.
