Configure SAML Single Sign-On (SSO) Authentication
Set up SAML single sign-on authentication to use existing
enterprise credentials to access SaaS Security.
If your instance was provisioned after
July 17, 2019, this topic does not apply to you and the SaaS Security
web interface does not display because your
instance uses Palo Alto Networks SSO by default. When you add an administrator
through the SaaS Security web interface, a Customer Support Portal
account is automatically created and linked to the SaaS Security
account. However, if you want to enable a third-party IDP, you must
change your configuration in the Customer Support Portal, not SaaS
Security, as outlined in How Do I Enable Third-Party IDP
For My Account?.
By default, SaaS Security instances
provisioned before July 17, 2019 use local database authentication
stored separately from your enterprise login account. Local database authentication
requires you to create sign-in accounts for each SaaS Security administrator.
However, if your organization has standardized on SAML SSO authentication,
you can eliminate duplicate accounts by configuring SaaS Security
as a SAML service provider so administrators can use their enterprise
credentials to access the service.
You must be a Super Admin
to set or change the authentication settings on SaaS Security.
- Enable SSO authentication on SaaS Security.You must be aSuper Adminto configure SSO authentication.
- Select .
- SelectEnable Single Sign-OnandSave.
- Make a note of the SaaS SecurityEntity IDandACS URLprovided.The Identity Provider needs this information to communicate with SaaS Security.
- Configure SaaS Security on your SAML Identity Provider.This example uses Okta as your Identity Provider.
- Add the SaaS SecurityEntity ID.
- Add the SaaS SecurityACS URL.
- Obtain the IDP certificate from the Identity Provider and install the certificate on the IDP server. If you do not know where to obtain the certificate, contact your IDP administrator or vendor.
- Save the SaaS Security configuration for your chosen Identity Provider and collect setup information provided.
- Configure SSO authentication on SaaS Security.
- Enter theIdentity Provider SSO URL.
- Browse to add anIdentity Provider Certificate. The identify provider uses this certificate to sign SAML messages. Alternatively, you can disableRequire valid certificate for login.
- Enter the SAMLIdentity Provider ID.
- Saveyour changes.
- Select SSO as the authentication type for SaaS Security administrators.Configure theAuthentication Typefor each administrator after configuring the SSO on SaaS Security and identity provider.As aSuper Admin, you can change theAuthentication Typefor any account except your own. To change yourAuthentication Type, another Super Admin must configure your account.
- Select .
- Create a newAdmin Accountor edit an existing one.
- For theAuthentication Type, selectSingle Sign-On (SSO).After a SaaS Security administrator logs in successfully, the following message displays.
When an Administrator has an account in the SaaS Security local database and a SSO log in, the following sign in screen displays.
