Map Roles and Permissions

Let us learn to map roles and permissions in Prisma SD-WAN.
Mapping roles and permissions are a critical part of the SAML enabled authorization process. Before you can access the Prisma SD-WAN web interface as an authorized user, your role must be mapped to a Palo Alto Networks role in the system. Through role mapping as defined in the IdP system, user group memberships are mapped to Palo Alto Networks authorized roles.
Your IdP administrator must include the following information in the SAML response.
  • Name ID—The Name ID of the end user. This attribute is required.
  • Role—The end user role or group membership. This attribute is required.
  • First Name or Last Name—The first name is required, the last name is optional.
    The format of the SAML response can be transient, persistent, email, or unspecified.
Ensure that the SAML assertions sent to Palo Alto Networks contain either the
attributes that Palo Alto Networks uses to map users to Palo Alto Networks roles. After a user is authenticated, assertions containing either
is automatically sent to Palo Alto Networks with various attributes such as email ID, the first and last name of the end user. Palo Alto Networks uses these assertions to map the end user to the corresponding Palo Alto Networks role in the Palo Alto Networks system.
The SAML response shows the assertions that include
, and
attributes, and a custom role.
Sample SAML Response with
</Attribute><Attribute Name="cloudgenix_groups"><AttributeValue>cloudgenix_tenant_network_admin</AttributeValue><AttributeValue>cloudgenix_tenant_viewonly</AttributeValue></Attribute>
Sample SAML Response with
<Attribute Name="memberOf" NameFormatt="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><AttributeValue xmlns:xs="" xmlns:xsi="" xsi:-type="xs:anyType">cloudgenix_tenant_super</AttributeValue></Attribute>
Sample SAML Response with a Custom Role
<Attribute Name="memberOf" NameFormatt="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><AttributeValue xmlns:xs="" xmlns:xsi="" xsi:-type="xs:anyType">admin</AttributeValue></Attribute>
After successful authentication, the end user is authorized to access the Prisma SD-WAN web interface.

Map Roles for Identity Provider Administrators

Map your IdP roles to Palo Alto Networks roles using the Active Directory Federation Services (ADFS) as an identity provider (IdP). This process varies for each IdP. For example, an administrator is mapped to a Palo Alto Networks role called
and another is mapped to a customer-specific role called
The outgoing claim from the IdP must be in the following format:
  • The User-Principal-Name should be mapped to Name ID. Palo Alto Networks requires this name to be the person’s email ID.
  • The given name should be mapped to firstname and the surname to lastname.
  • The Outgoing Claim Type should be
  • The Outgoing Claim Value can be either a Palo Alto Networks role defined as
    or a customer specific role.
If the Outgoing Claim Value is a customer specific role, make sure to map that role with a Palo Alto Networks role in the
AAA Configuration

Recommended For You