: Map Roles and Permissions
Focus
Focus

Map Roles and Permissions

Table of Contents

Map Roles and Permissions

Let us learn to map roles and permissions in Prisma SD-WAN.
Where Can I Use This?What Do I Need?
  • Prisma SD-WAN
  • Active Prisma SD-WAN license
Mapping roles and permissions are a critical part of the SAML enabled authorization process. Before you can access the Prisma SD-WAN web interface as an authorized user, your role must be mapped to a Palo Alto Networks role in the system. Through role mapping as defined in the IdP system, user group memberships are mapped to Palo Alto Networks authorized roles.
Your IdP administrator must include the following information in the SAML response.
  • Name ID—The Name ID of the end user. This attribute is required.
  • Role—The end user role or group membership. This attribute is required.
  • First Name or Last Name—The first name is required, the last name is optional.
    The format of the SAML response can be transient, persistent, email, or unspecified.
Ensure that the SAML assertions sent to Palo Alto Networks contain either the cloudgenix_groups or memberOf attributes that Palo Alto Networks uses to map users to Palo Alto Networks roles. After a user is authenticated, assertions containing either cloudgenix_groups or memberOf is automatically sent to Palo Alto Networks with various attributes such as email ID, the first and last name of the end user. Palo Alto Networks uses these assertions to map the end user to the corresponding Palo Alto Networks role in the Palo Alto Networks system.
The SAML response shows the assertions that include cloudgenix_groups , and memberOf attributes, and a custom role.
Sample SAML Response with cloudgenix_groups
</Attribute><Attribute Name="cloudgenix_groups"><AttributeValue>cloudgenix_tenant_network_admin</AttributeValue><AttributeValue>cloudgenix_tenant_viewonly</AttributeValue></Attribute>
Sample SAML Response with memberOf
<Attribute Name="memberOf" NameFormatt="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:-type="xs:anyType">cloudgenix_tenant_super</AttributeValue></Attribute>
Sample SAML Response with a Custom Role
<Attribute Name="memberOf" NameFormatt="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:-type="xs:anyType">admin</AttributeValue></Attribute>
After successful authentication, the end user is authorized to access the Prisma SD-WAN web interface.

Map Roles for Identity Provider Administrators

Map your IdP roles to Palo Alto Networks roles using the Active Directory Federation Services (ADFS) as an identity provider (IdP). This process varies for each IdP. For example, an administrator is mapped to a Palo Alto Networks role called cloudgenix_tenant_super and another is mapped to a customer-specific role called network-admin.
The outgoing claim from the IdP must be in the following format:
  • The User-Principal-Name should be mapped to Name ID. Palo Alto Networks requires this name to be the person’s email ID.
  • The given name should be mapped to firstname and the surname to lastname.
  • The Outgoing Claim Type should be CloudGenix_groups.
  • The Outgoing Claim Value can be either a Palo Alto Networks role defined as cloudgenix_tenant_<role> or a customer specific role.
If the Outgoing Claim Value is a customer specific role, make sure to map that role with a Palo Alto Networks role in the AAA Configuration screen.