enables you to integrate
with a third party identity provider (IDP) to allow access to the
platform, rather than adding users directly to the platform itself.
All tenant users must have a Palo Alto Networks Customer
Support Account, but the password does not have to be stored in
the Customer Support Portal (CSP).
IDP integration is supported only for Managed Security
Service Provider (MSSP) admin users accessing top-level parent tenants
to manage a customer’s child tenants. IDP integration is not supported
for an MSSP customer’s child tenant users. For your customer’s child
tenant user access, add user access through
ADFS is not supported as an IDP authentication service.
To add a user with a third party IDP you need to contact your
Palo Alto Networks Account Manager (AM), Customer Success Manager (CSM),
or Sales Engineer (SE).
The AM, CSM, or SE who fills out the IDP request form
is the point of contact. Your contact will ask you questions regarding:
Your CSP "Domain Admin" Role (Full Name and email).
Your SSO Admin (Full Name and email).
Your CSP ID.
Adding your existing CSP users to your SSO. If the users
are not added, there might be some delays. This is an important part
of data migration pre-work.
Your third party SSO (Example: Okta, Azure, OneLogin).
Your domains that need to be onboarded (third party SSO integration
is a domain level solution).
The IDP request processing time takes approximately up to
7 business days.