Cloud Identity Engine Getting Started
    : Configure Azure as an IdP in the Cloud Identity Engine
    Focus
    Download PDF
    Focus
    1. Home
    2. Cloud Identity
    3. Cloud Identity Engine Getting Started
    4. Authenticate Users with the Cloud Identity Engine
    5. Configure a SAML 2.0 Authentication Type
    6. Configure Azure as an IdP in the Cloud Identity Engine
    Download PDF

    Cloud Identity Engine Getting Started

    Configure Azure as an IdP in the Cloud Identity Engine

    Table of Contents

    Configure Azure as an IdP in the Cloud Identity Engine

    Learn how to configure Azure as an identity provider in the Cloud Identity Engine to use as an authentication type for user authentication.
    1. Download the Cloud Identity Engine integration in the Azure Portal.
      1. If you have not already done so, activate the Cloud Identity Engine app.
      2. Log in to the Azure Portal and select Azure Active Directory.
        Make sure you complete all the necessary steps in the Azure portal.
        If you have more than one directory, Switch directory to select the directory you want to use with the Cloud Identity Engine.
      3. Select Enterprise applications and click New application.
      4. Add from the gallery then enter Palo Alto Networks Cloud Identity Engine - Cloud Authentication Service and download the Azure AD single-sign on integration.
      5. After the application loads, select Users and groups, then Add user/group to Assign them to this application.
        Select the users and groups you want to use the Azure IdP in the Cloud Identity Engine for authentication.
        Be sure to assign the account you're using so you can test the configuration when it's complete. You may need to refresh the page after adding accounts to successfully complete the test.
      6. Select Single sign-on then select SAML.
      7. Upload Metadata File by browsing to the metadata file that you downloaded from the Cloud Identity Engine app and click Add.
      8. After the metadata uploads, Save your configuration.
      9. (Optional) Edit your User Attributes & Claims to Add a new claim or Edit an existing claim.
        If you attempt to test the configuration on the Azure Admin Console, a 404 error displays because the test is triggered by the IdP and the Cloud Identity Engine supports authentication requests initiated by the service provider.
    2. Configure Azure AD for the Cloud Identity Engine.
      1. Select Single sign-on then select SAML.
      2. Edit the Basic SAML Configuration settings.
      3. Upload metadata file and select the metadata file you downloaded from the Cloud Identity Engine in the first step.
      4. Enter your regional endpoint as the Sign-on URL using the following format: https://<RegionUrl>.paloaltonetworks.com/sp/acs (where <RegionUrl> is your regional endpoint). For more information on regional endpoints, see Configure Cloud Identity Engine Authentication on the Firewall or Panorama.
      5. Copy the App Federation Metadata Url and save it to a secure location.
        At this point in the process, you may see the option to Test sign-in. If you try to test the single sign-on configuration now, the test won't be successful. You can test your configuration to verify it's correct in step 9.
    3. Add and assign users who you want to require to use Azure AD for authentication.
      1. Select Azure Active Directory then select UsersAll users.
      2. Create a New user and enter a Name, User name.
      3. Select Show password, copy the password to a secure location, and Create the user.
      4. In the Palo Alto Networks Cloud Identity Engine - Cloud Authentication Service integration in the Azure Portal, select Users and groups.
      5. Add user then select Users and groups.
    4. Add Azure as an authentication type in the Cloud Identity Engine app.
      1. In the Cloud Identity Engine app, select AuthenticationAuthentication Types then click Add New Authentication Type.
      2. Set Up a SAML 2.0 authentication type.
      3. Select the Metadata Type you want to use.
      4. Copy the Entity ID and Assertion Consumer Service URL and save them in a secure location.
      5. Download SP Certificate and Download SP Metadata and save them in a secure location.
      6. Enter a unique and descriptive Profile Name.
      7. Select Azure as your Identity Provider Vendor.
    5. Select the method you want to use to Add Metadata.
      • If you want to enter the information manually, copy the identity provider ID and SSO URL, download the certificate, then enter the information in the Cloud Identity Engine IdP profile.
        1. Copy the necessary information from the Azure Portal and enter it in the IdP profile on the Cloud Identity Engine app as indicated in the following table:
          Copy or Download from Azure PortalEnter in Cloud Identity Engine IdP Profile
          Copy the Azure AD Identifier.Enter it as the Identity Provider ID.
          Download the Certificate (Base64).Click Browse files to select the Identity Provider Certificate you downloaded from the Azure Portal.
          Copy the Login URL.Enter the URL as the Identity Provider SSO URL.
        2. (Optional) Select the HTTP Binding for SSO Request to Identity Provider (Optional) method you want to use for the SAML binding that allows the firewall and IdP to exchange request and response messages:
          • HTTP Redirect—Transmit SAML messages through URL parameters.
          • HTTP Post—Transmit SAML messages using base64-encoded HTML.
      • If you want to upload a metadata file, download the metadata file from your IdP management system.
        1. In the Azure Portal, Download the Federation Metadata XML and Save it to a secure location.
        2. In the Cloud Identity Engine app, click Browse files to select the metadata file, then Open the metadata file.
      • If you want to use a URL to retrieve the metadata, copy the App Federation Metadata Url, then paste it in the profile as the Identity Provider Metadata URL and click Get URL to obtain the metadata.
        Palo Alto Networks recommends using this method to configure Azure as an IdP.
      • If you don't want to enter the configuration information now, you can Do it later. This option allows you to submit the profile without including configuration information. However, you must edit the profile to include the configuration information to use the authentication type in an authentication profile.
    6. Specify the Maximum Clock Skew (seconds), which is the allowed difference in seconds between the system times of the IdP and the firewall at the moment when the firewall validates IdP messages (default is 60; range is 1–900). If the difference exceeds this value, authentication fails.
    7. Select Multi-factor Authentication is Enabled on the Identity Provider if your Azure configuration uses multi-factor authentication (MFA).
    8. To require users to log in using their credentials to reconnect to GlobalProtect, enable Force Authentication.
    9. Click Test SAML setup to verify the profile configuration.
      This step is necessary to confirm that your firewall and IdP can communicate.
      If you do not provide the vendor information, the SAML test passes so that you can still submit the configuration.
    10. Select the SAML attributes you want the firewall to use for authentication and Submit the IdP profile.
      1. In the Azure Portal, Edit the User Attributes & Claims.
      2. (Optional) In the Cloud Identity Engine app, enter the Username Attribute, Usergroup Attribute, Access Domain, User Domain, and Admin Role.
      3. Submitthe profile.
    11. If you want to Enable Dynamic Privilege Access, ensure completion of the prerequisites before enabling this option, then Submit your changes to confirm the configuration.
      For more information, refer to Configure Dynamic Privilege Access in the Cloud Identity Engine.

    © 2024 Palo Alto Networks, Inc. All rights reserved.