Configure SAML Single Sign-On (SSO) Authentication

Set up SAML single sign-on authentication to use existing enterprise credentials to access SaaS Security.
If your instance was provisioned after July 17, 2019, this topic does not apply to you and the SaaS Security web interface does not display
Settings
Authentication
because your instance uses Palo Alto Networks SSO by default. When you add an administrator through the SaaS Security web interface, a Customer Support Portal account is automatically created and linked to the SaaS Security account. However, if you want to enable a third-party IDP, you must change your configuration in the Customer Support Portal, not SaaS Security.
By default, SaaS Security instances provisioned before July 17, 2019 use local database authentication stored separately from your enterprise login account. Local database authentication requires you to create sign-in accounts for each SaaS Security administrator. However, if your organization has standardized on SAML SSO authentication, you can eliminate duplicate accounts by configuring SaaS Security as a SAML service provider so administrators can use their enterprise credentials to access the service.
You must be a Super Admin to set or change the authentication settings on SaaS Security.
  1. Enable SSO authentication on SaaS Security.
    You must be a
    Super Admin
    to configure SSO authentication.
    1. Select
      Settings
      Authentication
      .
    2. Select
      Enable Single Sign-On
      and
      Save
      .
    3. Make a note of the SaaS Security
      Entity ID
      and
      ACS URL
      provided.
      The Identity Provider needs this information to communicate with SaaS Security.
  2. Configure SaaS Security on your SAML Identity Provider.
    This example uses Okta as your Identity Provider.
    1. Add the SaaS Security
      Entity ID
      .
    2. Add the SaaS Security
      ACS URL
      .
    3. Obtain the IDP certificate from the Identity Provider and install the certificate on the IDP server. If you do not know where to obtain the certificate, contact your IDP administrator or vendor.
    4. Save the SaaS Security configuration for your chosen Identity Provider and collect setup information provided.
  3. Configure SSO authentication on SaaS Security.
    1. Enter the
      Identity Provider SSO URL
      .
    2. Browse to add an
      Identity Provider Certificate
      . The identify provider uses this certificate to sign SAML messages. Alternatively, you can disable
      Require valid certificate for login
      .
    3. Enter the SAML
      Identity Provider ID
      .
    4. Save
      your changes.
  4. Select SSO as the authentication type for SaaS Security administrators.
    Configure the authentication type for each administrator after configuring the SSO on SaaS Security and identity provider.
    As a
    Super Admin
    , you can change the
    Authentication Type
    for any account except your own. To change your
    Authentication Type
    , another Super Admin must configure your account.
    1. Select
      Settings
      Admin Accounts
      .
    2. Create a new
      Admin Account
      or edit an existing one.
    3. For the
      Authentication Type
      , select
      Single Sign-On (SSO)
      .
      After a SaaS Security administrator logs in successfully, the following message will display.
      When an Administrator has an account in the SaaS Security local database and a SSO log in, the following sign in screen displays.

Recommended For You