Third Party Identity Provider Integration Guidelines

Learn how to integrate with third party IDPs in the
Prisma SASE Multitenant Cloud Management Platform
Prisma™ SASE Multitenant Cloud Management Platform
enables you to integrate with a third party identity provider (IDP) to allow access to the platform, rather than adding users directly to the platform itself.
All tenant users must have a Palo Alto Networks Customer Support Account, but the password does not have to be stored in the Customer Support Portal (CSP).
IDP integration is supported only for Managed Security Service Provider (MSSP) admin users accessing top-level parent tenants to manage a customer’s child tenants. IDP integration is not supported for an MSSP customer’s child tenant users. For your customer’s child tenant user access, add user access through the platform.
ADFS is not supported as an IDP authentication service.
To add a user with a third party IDP you need to contact your Palo Alto Networks Account Manager (AM), Customer Success Manager (CSM), or Sales Engineer (SE).
  • The AM, CSM, or SE who fills out the IDP request form is the point of contact. Your contact will ask you questions regarding:
    • Your CSP "Domain Admin" Role (Full Name and email).
    • Your SSO Admin (Full Name and email).
    • Your CSP ID.
    • Adding your existing CSP users to your SSO. If the users are not added, there might be some delays. This is an important part of data migration pre-work.
    • Your third party SSO (Example: Okta, Azure, OneLogin).
    • Your domains that need to be onboarded (third party SSO integration is a domain level solution).
    • Your timezone.
  • The IDP request processing time takes approximately up to 7 business days.

Recommended For You