Configure SAML 2.0 Authentication (API)
Table of Contents
Expand all | Collapse all
-
- Upgrade a Firewall to the Latest PAN-OS Version (API)
- Show and Manage GlobalProtect Users (API)
- Query a Firewall from Panorama (API)
- Upgrade PAN-OS on Multiple HA Firewalls through Panorama (API)
- Automatically Check for and Install Content Updates (API)
- Enforce Policy using External Dynamic Lists and AutoFocus Artifacts (API)
- Configure SAML 2.0 Authentication (API)
- Quarantine Compromised Devices (API)
- Manage Certificates (API)
-
- Asynchronous and Synchronous Requests to the PAN-OS XML API
- Run Operational Mode Commands (API)
- Apply User-ID Mapping and Populate Dynamic Groups (API)
- Get Version Info (API)
-
- PAN-OS REST API
- Access the PAN-OS REST API
- Resource Methods and Query Parameters (REST API)
- PAN-OS REST API Request and Response Structure
- PAN-OS REST API Error Codes
- Work With Objects (REST API)
- Create a Security Policy Rule (REST API)
- Work with Policy Rules on Panorama (REST API)
- Create a Tag (REST API)
- Configure a Security Zone (REST API)
- Configure an SD-WAN Interface (REST API)
- Create an SD-WAN Policy Pre Rule (REST API)
- Configure an Ethernet Interface (REST API)
- Update a Virtual Router (REST API)
- Work With Decryption (APIs)
Configure SAML 2.0 Authentication (API)
Use the PAN-OS XML API to automate the configuration
of SAML 2.0 single sign-on (SSO) and single logout (SLO). To configure
SAML using the API, create scripts that import the SAML metadata
file, create a SAML authentication profile, add users and user groups,
and assign the authentication profile to firewall services. The
following workflow provides an example of how to configure SAML
using the XML API.
Because the PAN-OS XML API uses a tree
of XML nodes, in your API request you must specify the correct type
and action along with the XPath Node Selection. See Explore
the API to learn how to construct XML requests.
- (Recommended) Import a metadata file
from the IdPThe metadata file contains registration information and the certificate that the IdP uses to sign SAML messages. If you import a metadata file, you do not need to independently Create a SAML Identity Provider (IdP) server profile. Include the metadata file path and SAML server profile name in your GET request:
- key: API key
- file: file path to SAML metadata file. The metadata file contains registration information, as well as the certificate that the IdP uses to sign SAML messages. Export the metadata file from the IdP to a client system that the firewall can access. The certificate specified in the file must meet SAML requirements. Refer also to your IdP documentation for instructions.
- profile-name: passphrase, up to 31 characters
curl -k -F file=@filename.txt -g 'https://<firewall>/api/?type=import&category=idp-metadata&profile-name=<profilename>'If you perform this step, you can skip Step 2, Create a SAML Identity Provider (IdP) server profile.- Create a SAML Identity Provider (IdP) server profile
If you do not import a metadata file, include IdP configuration parameters in your GET request to create a SAML IdP server profile:- key: API key
- vsys: location, example values: shared, vsys1, vsys2
- name: server profile name
- entity-id: identity provider id
- certificate: (Best Practice) identity provider certificate
- sso-url: identity provider SSO URL
- slo-url: identity provider SLO URL
- sso-binding: SSO SAML HTTP binding, acceptable values: post, redirect
- ssl-binding: SSL SAML HTTP binding, acceptable values: post, redirect
- max-clock-skew: difference in system time as measured in seconds between firewall and IdP. The default value is 60 with a range of 1-900.
- validate-idp-certificate: (Best Practice) specify whether you want to validate the IdP certificate. The default value is yes.
- want-auth-requests-signed: specify whether the IdP expects a digital signature on authentication requests. The default value is no.
curl -X POST 'https://firewall/api?type=config&action=set&xpath=/config/shared/server-profile/saml-idp/entry[@name='<server-profile-name>']&element=<certificate><cert-name></certificate><entity-id><https://example.com/sso></entity-id><sso-url><https://example.com/sso></sso-url><sso-bindings><post></sso-bindings><slo-url><https://example.com/slo></slo-url><slo-bindings>post</slo-bindings><max-clock-skew><max-clock-skew></max-clock-skew><validate-idp-certificate><yes></validate-idp-certificate><want-auth-requests-signed><yes></want-auth-requests-signed>"- Create a SAML authentication profile using the PAN-OS XML API
Include SAML authentication profile parameters in your GET request:- key: API key
- authentication-profile: authentication profile name
- enable-single-logout: specify whether you want to enable SAML single logout. The default value is no.
- request-signing-certificate: request signing certificate name
- server-profile: SAML Identity Provider (IdP) server profile name
- certificate-profile: certificate profile name
- attribute-name-username: SAML username attribute
- attribute-name-usergroup: SAML user group attribute
- attribute-name-access-domain: SAML admin domain attribute
- attribute-name-admin-role: SAML admin role attribute
curl -X POST 'https://firewall/api?type=config&action=set&xpath=/config/shared/authentication-profile/entry[@name='<authentication-profile-name>']/method/saml-idp&element=<enable-single-logout>no</enable-single-logout><request-signing-certificate><certificate-name></request-signing-certificate><server-profile><server-profile-name></server-profile><certificate-profile>profile-name</certificate-profile><attribute-name-username><username></attribute-name-username><attribute-name-usergroup><usergroup></attribute-name-usergroup><attribute-name-access-domain><access-domain></attribute-name-access-domain><attribute-name-admin-role><admin-role></attribute-name-admin-role>"- Add users and user groups that are allowed to authenticate with this authentication profile
Include profile name and member list in your request:- key: API key
- authentication-profile: authentication profile name
- member: users or user groups. To include specific users or groups, include them in brackets: [member1,member 3]. To include all users, includeall.
curl -X POST 'https://firewall/api?type=config&action=set&xpath=/config/shared/authentication-profile/entry[@name='<authentication-profile-name>']/allow-list&element=<member><all></member>"- Assign the authentication profile to firewall services that require authentication
For example, to assign the authentication profile to a superuser administrator account for web access, include these parameters in your GET request:- key: API key
- name: admin username
- authentication-profile: name of the SAML authentication profile
curl -X POST 'https://firewall/api?type=config&action=set&xpath=/config/mgt-config/users/entry[@name='<adminname>']&element=<permissions><role-based><superuser>yes</superuser></role-based></permissions><authentication-profile><authprofilename></authentication-profile>"