Map Roles and Permissions
Table of Contents
Expand All
|
Collapse All
Prisma SD-WAN Docs
-
-
-
-
- AWS Transit Gateway
- Azure vWAN
- Azure vWAN with vION
- ChatBot for MS Teams
- ChatBot for Slack
- CloudBlades Integration with Prisma Access
- GCP NCC
- Service Now
- Zoom QSS
- Zscaler Internet Access
-
-
- ION 5.2
- ION 5.3
- ION 5.4
- ION 5.5
- ION 5.6
- ION 6.0
- ION 6.1
- ION 6.2
- ION 6.3
- ION 6.4
- New Features Guide
- On-Premises Controller
- Prisma Access CloudBlade Cloud Managed
- Prisma Access CloudBlade Panorama Managed
- Prisma SD-WAN CloudBlades
Map Roles and Permissions
Let us learn to map roles and permissions in Prisma SD-WAN.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
Mapping roles and permissions are a critical
part of the SAML enabled authorization process. Before you can access
the Prisma SD-WAN web interface as an authorized user, your role
must be mapped to a Palo Alto Networks role in the system. Through
role mapping as defined in the IdP system, user group memberships
are mapped to Palo Alto Networks authorized roles.
Your IdP administrator must include the following information
in the SAML response.
- Name ID—The Name ID of the end user. This attribute is required.
- Role—The end user role or group membership. This attribute is required.
- First Name or Last Name—The first name is required, the last name is optional.The format of the SAML response can be transient, persistent, email, or unspecified.
Ensure that the SAML assertions sent to Palo Alto
Networks contain either the cloudgenix_groups or memberOf attributes
that Palo Alto Networks uses to map users to Palo Alto Networks
roles. After a user is authenticated, assertions containing either cloudgenix_groups or memberOf is
automatically sent to Palo Alto Networks with various attributes
such as email ID, the first and last name of the end user. Palo
Alto Networks uses these assertions to map the end user to the corresponding
Palo Alto Networks role in the Palo Alto Networks system.
The
SAML response shows the assertions that include cloudgenix_groups ,
and memberOf attributes, and a custom role.
Sample SAML Response with cloudgenix_groups
</Attribute><Attribute Name="cloudgenix_groups"><AttributeValue>cloudgenix_tenant_network_admin</AttributeValue><AttributeValue>cloudgenix_tenant_viewonly</AttributeValue></Attribute>
Sample SAML Response with memberOf
<Attribute Name="memberOf" NameFormatt="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:-type="xs:anyType">cloudgenix_tenant_super</AttributeValue></Attribute>
Sample SAML Response with a Custom Role
<Attribute Name="memberOf" NameFormatt="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:-type="xs:anyType">admin</AttributeValue></Attribute>
After successful authentication, the end user is authorized to
access the Prisma SD-WAN web interface.
Map Roles for Identity Provider Administrators
Map your IdP roles to Palo Alto Networks roles using
the Active Directory Federation Services (ADFS) as an identity provider
(IdP). This process varies for each IdP. For example, an administrator
is mapped to a Palo Alto Networks role called cloudgenix_tenant_super and
another is mapped to a customer-specific role called network-admin.
The outgoing claim from the IdP must be in the following format:
- The User-Principal-Name should be mapped to Name ID. Palo Alto Networks requires this name to be the person’s email ID.
- The given name should be mapped to firstname and the surname to lastname.
- The Outgoing Claim Type should be CloudGenix_groups.
- The Outgoing Claim Value can be either a Palo Alto Networks role defined as cloudgenix_tenant_<role> or a customer specific role.
If the Outgoing Claim Value is a customer specific role, make
sure to map that role with a Palo Alto Networks role in the AAA
Configuration screen.