Enable SAML Access to End Users
Table of Contents
Expand all | Collapse all
-
-
- Configure Circuits
- Configure Internet Circuit Underlay Link Aggregation
- Configure Private WAN Underlay Link Quality Aggregation
- Configure Circuit Categories
- Configure Device Initiated Connections for Circuits
- Add Public IP LAN Address to Enterprise Prefixes
- Manage Data Center Clusters
- Configure a Site Prefix
- Configure a DHCP Server
- Configure NTP for Prisma SD-WAN
- Enable IoT Device Visibility in Prisma SD-WAN
- Configure the ION Device at a Branch Site
- Configure the ION Device at a Data Center
- Switch a Site to Control Mode
- Allow IP Addresses in Firewall Configuration
-
- Configure a Controller Port
- Configure Internet Ports
- Configure WAN/LAN Ports
- Configure a Loopback Interface
- Prisma SD-WAN Standard VPN
- Configure a PoE Port
- Configure and Monitor LLDP Activity and Status
- Configure a PPPoE Interface
- Configure a Layer 3 LAN Interface
- Configure Application Reachability Probes
- Configure a Secondary IP Address
- Configure a Static ARP
- Configure a DHCP Relay
- Configure IP Directed Broadcast
- VPN Keep-Alives
-
- Configure Prisma SD-WAN IPFIX
- Configure IPFIX Profiles and Templates
- Configure and Attach a Collector Context to a Device Interface in IPFIX
- Configure and Attach a Filter Context to a Device Interface in IPFIX
- Configure Global and Local IPFIX Prefixes
- Flow Information Elements
- Options Information Elements
- Configure the DNS Service on the Prisma SD-WAN Interface
- Configure SNMP
-
-
- Prisma SD-WAN Branch Routing
- Prisma SD-WAN Data Center Routing
-
- Configure Multicast
- Create a WAN Multicast Configuration Profile
- Assign WAN Multicast Configuration Profiles to Branch Sites
- Configure a Multicast Source at a Branch Site
- Configure Global Multicast Parameters
- Configure a Multicast Static Rendezvous Point (RP)
- Learn Rendezvous Points (RPs) Dynamically
- View LAN Statistics for Multicast
- View WAN Statistics for Multicast
- View IGMP Membership
- View the Multicast Route Table
- View Multicast Flow Statistics
- View Routing Statistics
- Prisma SD-WAN Incident Policies
-
- Prisma SD-WAN Branch HA Key Concepts
- Configure Branch HA
- Configure HA Groups
- Add ION Devices to HA Groups
- View Device Configuration of HA Groups
- Edit HA Groups and Group Membership
-
- Configure Branch HA with Gen-1 Platforms (2000, 3000, 7000, and 9000)
- Configure Branch HA with Gen-2 Platforms (3200, 5200, and 9200)
- Configure Branch HA with Gen-2 Embedded Switch Platforms (1200-S or 3200-L2)
- Configure Branch HA for Devices with Software Cellular Bypass (1200-S-C-5G)
- Configure Branch HA for Platforms without Bypass Pairs
- Prisma SD-WAN Clarity Reports
-
- Native SASE Integration with Prisma SD-WAN
- Connect a Single Prisma SD-WAN Site to Prisma Access
- Connect Multiple Prisma SD-WAN Sites to Prisma Access
- Edit Application Policy Network Rules
- Understand Service and Data Center Groups
- Verify Standard VPN Endpoints
- Configure Standard Groups
- Assign Domains to Sites
- Prisma SD-WAN Incidents and Alerts
Enable SAML Access to End Users
Let us learn to enable SAML access to end users.
SAML access is automatically enabled for new
SAML users. When a SAML user logs in for the first time, the account
is created and by default the user type is set to SAML.
- Navigate to.WorkflowsPrisma SD-WAN SetupDevicesClaimed DevicesAAA
- Confirm thatAuto Create OperatorsandAuto Create Operator Rolesare toggled to Yes.
- IfAuto Create OperatorsandAuto Create Operator Rolesare selected:
- New operator is not created if system role is not assigned to the operator.
- System role is already assigned to an existing end user, no changes are made to the existing end user.
- IfAuto Create Operatorsis selected but theAuto Create Operator Rolesis not selected:
- A new operator is created, but will not be able to log in due to insufficient roles or permissions. AnIAM administratorhas to manually assign roles to the operator usingUser Managementon thePrisma SD-WANweb interface.
- An existing end user can log in, if the correct role was assigned earlier, or else receives an error due to insufficient roles and permissions. For more information on groups and role assignments, refer Map Roles and Permissions.
Verify SAML access by ensuring that user-to-role mapping is accurate and test SAML-based login and authentication.Authentication fails if the name ID and user role are not provided. The SAML response must include the user’s name ID, first name, last name, and group membership. If authentication fails, the SSO page displays an error message and prompt the user for re-authentication.
Enable SAML Access for Existing Users
You can enable SAML access for existing users.
You can change the existing local type user to SAML on the User
Administration page. The user account must be added in your IdP
server to allow the user to login as a SAML user.
- Navigate to.ManageSystemAccess ManagementUser AccessUser Management
- Select the user to enable SAML access and Edit the user attributes.
- Change the userTypeto SAML.
- Saveyour changes.