Map Roles and Permissions

Let us learn to map roles and permissions in Prisma SD-WAN.
Mapping roles and permissions are a critical part of the SAML enabled authorization process. Before you can access the Prisma SD-WAN web interface as an authorized user, your role must be mapped to a Palo Alto Networks role in the system. Through role mapping as defined in the IdP system, user group memberships are mapped to Palo Alto Networks authorized roles.
Your IdP administrator must include the following information in the SAML response.
  • Name ID—The Name ID of the end user. This attribute is required.
  • Role—The end user role or group membership. This attribute is required.
  • First Name or Last Name—The first name is required, the last name is optional.
    The format of the SAML response can be transient, persistent, email, or unspecified.
Ensure that the SAML assertions sent to Palo Alto Networks contain either the
cloudgenix_groups
or
memberOf
attributes that Palo Alto Networks uses to map users to Palo Alto Networks roles. After a user is authenticated, assertions containing either
cloudgenix_groups
or
memberOf
is automatically sent to Palo Alto Networks with various attributes such as email ID, the first and last name of the end user. Palo Alto Networks uses these assertions to map the end user to the corresponding Palo Alto Networks role in the Palo Alto Networks system.
The SAML response shows the assertions that include
cloudgenix_groups
, and
memberOf
attributes, and a custom role.
Sample SAML Response with
cloudgenix_groups
</Attribute><Attribute Name="cloudgenix_groups"><AttributeValue>cloudgenix_tenant_network_admin</AttributeValue><AttributeValue>cloudgenix_tenant_viewonly</AttributeValue></Attribute>
Sample SAML Response with
memberOf
<Attribute Name="memberOf" NameFormatt="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:-type="xs:anyType">cloudgenix_tenant_super</AttributeValue></Attribute>
Sample SAML Response with a Custom Role
<Attribute Name="memberOf" NameFormatt="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:-type="xs:anyType">admin</AttributeValue></Attribute>
After successful authentication, the end user is authorized to access the Prisma SD-WAN web interface.

Map Roles for Identity Provider Administrators

Map your IdP roles to Palo Alto Networks roles using the Active Directory Federation Services (ADFS) as an identity provider (IdP). This process varies for each IdP. For example, an administrator is mapped to a Palo Alto Networks role called
cloudgenix_tenant_super
and another is mapped to a customer-specific role called
network-admin
.
The outgoing claim from the IdP must be in the following format:
  • The User-Principal-Name should be mapped to Name ID. Palo Alto Networks requires this name to be the person’s email ID.
  • The given name should be mapped to firstname and the surname to lastname.
  • The Outgoing Claim Type should be
    CloudGenix_groups
    .
  • The Outgoing Claim Value can be either a Palo Alto Networks role defined as
    cloudgenix_tenant_<role>
    or a customer specific role.
If the Outgoing Claim Value is a customer specific role, make sure to map that role with a Palo Alto Networks role in the
AAA Configuration
screen.

Recommended For You