Configure SAML Single Sign-On (SSO) Authentication
Set up SAML single sign-on authentication to use existing
enterprise credentials to access SaaS Security.
If your instance was provisioned after
July 17, 2019, this topic does not apply to you and the SaaS Security
web interface does not display
instance uses Palo Alto Networks SSO by default. When you add an
administrator through the SaaS Security web interface, a Customer Support
Portal account is automatically created and linked to the SaaS Security
account. However, if you want to enable a third-party IDP, you must
change your configuration in the Customer Support Portal, not SaaS
SaaS Security instances provisioned before July 17, 2019 use local
database authentication stored separately from your enterprise login
account. Local database authentication requires you to create sign-in
accounts for each SaaS Security administrator. However, if your organization
has standardized on SAML SSO authentication, you can eliminate duplicate
accounts by configuring SaaS Security as a SAML service provider
so administrators can use their enterprise credentials to access
You must be a Super Admin to set or change the
authentication settings on SaaS Security.
Enable SSO authentication on SaaS Security.
You must be a
Enable Single Sign-On
Make a note of the SaaS Security
The Identity Provider needs this information to communicate
with SaaS Security.
Configure SaaS Security on your SAML Identity Provider.
This example uses Okta as your Identity Provider.
Add the SaaS Security
Add the SaaS Security
Obtain the IDP certificate from the Identity Provider
and install the certificate on the IDP server. If you do not know
where to obtain the certificate, contact your IDP administrator
Save the SaaS Security configuration for your chosen
Identity Provider and collect setup information provided.
Configure SSO authentication on SaaS Security.
Identity Provider SSO
Browse to add an
Identity Provider Certificate
The identify provider uses this certificate to sign SAML messages.
Alternatively, you can disable
Require valid certificate
Enter the SAML
Identity Provider ID
Select SSO as the authentication type for SaaS Security
Configure the authentication type for each administrator
after configuring the SSO on SaaS Security and identity provider.
, you can change the
for any account except your own. To change your
, another Super Admin must configure your account.
Create a new
edit an existing one.
Single Sign-On (SSO)
After a SaaS Security administrator logs in successfully,
the following message will display.
When an Administrator has an account in the SaaS Security
local database and a SSO log in, the following sign in screen displays.