Device > Server Profiles > SAML Identity Provider
Table of Contents
Expand all | Collapse all
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > GTP Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Decryption > Forwarding Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > VLANs
- Network > Virtual Wires
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Device Block List
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Scheduled Config Export
End-of-Life (EoL)
Device > Server Profiles > SAML Identity Provider
Use this page to register a Security Assertion Markup
Language (SAML) 2.0 identity provider (IdP) with the firewall or Panorama.
Registration is a necessary step to enable the firewall or Panorama
to function as a SAML service provider, which controls access to
your network resources. When administrators and end users request
resources, the service provider redirects the users to the IdP for
authentication. The end users can be GlobalProtect or Captive Portal
users. The administrators can be managed locally on the firewall
and Panorama or managed externally in the IdP identity store. You
can configure SAML single sign-on (SSO) so that each user can automatically
access multiple resources after logging into one. You can also configure
SAML single logout (SLO) so that each user can simultaneously log
out of every SSO-enabled service by logging out of any single service.
Authentication sequences don’t support authentication profiles
that specify SAML IdP server profiles.
In most cases, you
cannot use SSO to access multiple apps on the same mobile device.
You
cannot enable SLO for Captive Portal users.
The easiest way to create a SAML IdP server profile is to Import a
metadata file containing the registration information from the IdP.
After saving a server profile with imported values, you can edit
the profile to modify the values. If the IdP doesn’t provide a metadata
file, you can Add the server profile and
manually enter the information. After creating a server profile,
assign it to an authentication profile (see Device
> Authentication Profile) for specific firewall or Panorama services.
SAML Identity Provider
Server Settings | Description |
---|---|
Profile Name | Enter a name to identify the server (up
to 31 characters). The name is case-sensitive and must be unique.
Use only letters, numbers, spaces, hyphens, and underscores. |
Location | Select the scope in which the profile is
available. In the context of a firewall that has multiple virtual
systems, select a virtual system or select Shared (all
virtual systems). In any other context, you can’t select the Location; its
value is predefined as Shared (firewalls) or as Panorama. After
you save the profile, you can’t change its Location. |
Administrator Use Only | Select this option to specify that only
administrator accounts can use the profile for authentication. For
firewalls that have multiple virtual systems, this option appears
only if the Location is Shared. |
Identity Provider ID | Enter an identifier for the IdP. Your IdP
provides this information. |
Identity Provider Certificate | Select the certificate that the IdP uses
to sign SAML messages that it sends to the firewall. You must select
an IdP certificate to ensure the integrity of messages that the
IdP sends to the firewall. To validate the IdP certificate against
the issuing Certificate Authority (CA), you must specify a Certificate
Profile in any authentication profile that references
the IdP server profile (see Device
> Authentication Profile). When generating or importing
a certificate and its associated private key, remember that the
key usage attributes specified in the certificate control what you
can use the key for. If the certificate explicitly lists key usage
attributes, one of the attributes must be Digital Signature, which
is not available in certificates that you generate on the firewall.
In this case, you must Import the
certificate and key from your enterprise certificate authority (CA)
or a third-party CA. If the certificate doesn’t specify key usage
attributes, you can use the key for any purpose, including signing
messages. In this case, you can use any method to obtain the certificate and key IdP certificates support the following
algorithms:
|
Identity Provider SSO URL | Enter the URL that the IdP advertises for
its single-sign on (SSO) service. If you create the server
profile by importing a metadata file and the file specifies multiple
SSO URLs, the firewall uses the first URL that specifies a POST
or redirect binding method. Palo Alto
Networks strongly recommends using a URL that relies on HTTPS, although
SAML also supports HTTP. |
Identity Provider SLO URL | Enter the URL that the IdP advertises for
its single logout (SLO) service. If you create the server
profile by importing a metadata file and the file specifies multiple
SLO URLs, the firewall uses the first URL that specifies a POST
or redirect binding method. Palo Alto
Networks strongly recommends using a URL that relies on HTTPS, although
SAML also supports HTTP. |
SSO SAML HTTP Binding | Select the HTTP binding associated with
the Identity Provider SSO URL. The firewall
uses the binding to send SAML messages to the IdP. The options are:
If
you import an IdP metadata file that has multiple SSO URLs, the
firewall uses the binding of the first URL that uses the POST or
redirect method. The firewall ignores URLs that use other bindings. |
SLO SAML HTTP Binding | Select the HTTP binding associated with
the Identity Provider SLO URL. The firewall
uses the binding to send SAML messages to the IdP. The options are:
If
you import an IdP metadata file that has multiple SLO URLs, the
firewall uses the binding of the first URL that uses the POST or
redirect method. The firewall ignores URLs that use other bindings. |
Identity Provider Metadata | This field displays only if you Import an IdP
metadata file that you uploaded to the firewall from the IdP. The
file specifies the values and signing certificate for a new SAML
IdP server profile. Browse to the file, specify
the Profile
Name and Maximum
Clock Skew, and then click OK to create
the profile. Optionally, you can edit the profile to change the
imported values. |
Validate Identity Provider Certificate | Select this option to validate the chain
of trust and optionally the revocation status of the IdP signing
certificate. To enable this option, a Certificate Authority
(CA) must issue your IdP’s signing certificate. You must create
a Certificate Profile that has the CA that issued the IdP’s signing
certificate. In the Authentication Profile, select the SAML Server
profile and Certificate Profile to validate the IdP certificate
(see Device
> Authentication Profile). If your IdP signing certificate
is a self-signed certificate, there is no chain of trust; as a result,
you cannot enable this option. The firewall always validates the
signature of the SAML Responses or Assertions against the Identity
Provider certificate that you configure whether or not you enable
the Validate Identity Provider Certificate option.
If your IdP provides a self-signed certificate, ensure that you
are using PAN-OS 9.1.3 or a later 9.1 version to mitigate exposure
to CVE-2020-2021. |
Sign SAML Message to IdP | Select this option to specify that the firewall
sign messages it sends to the IdP. The firewall uses the Certificate
for Signing Requests that you specify in an authentication profile
(see Device
> Authentication Profile). Using
a signing certificate ensures the integrity of messages sent to
the IdP. |
Maximum Clock Skew | Enter the maximum acceptable time difference
in seconds between the IdP and firewall system times at the moment
when the firewall validates a message that it receives from the
IdP (range is 1 to 900; default is 60). If the time difference exceeds
this value, the validation (and thus authentication) fails. |