PAN-OS - SAML Relying Party Configuration - RSA Ready Implementation Guide
6 months ago

This article describes how to integrate PAN-OS with RSA Cloud Access Service (CAS) using Relying Party.

   

Configure CAS

Perform these steps to configure CAS using Relying Party.
Procedure 

  1. Click Authentication Clients > Relying Parties.
  2. On the My Relying Parties page, click Add a Relying Party
  3. On the Relying Party Catalog page, click Add for Service Provider SAML.
  4. On the Basic Information page, enter the name for the application in the Name field and click Next Step.
  5. On the Authentication page, choose RSA manages all authentication.
  6. In the 2.0 Access Policy for Authentication drop-down list,  select a policy that was previously configured, and click Next Step.
  7. Under Data Input Method, choose Enter Manually.
  8. Scroll down to the Service Provider section and provide the details in the following format.
    1. Assertion Consumer Service (ACS) URL: https://<PANOS-hostname OR IP address
    2. Service Provider Entity ID: Enter the same Service Provider Entity ID entered in PANOS.
  9. Under the Message Protection section, choose IdP signs entire SAML response.
  10. Scroll down to the User Identity section and select the following values:
    1. Identifier Type: emailAddress
    2. Property: mail

  11. Click Save and Finish.
  12. Click Publish Changes and wait for the operation to be completed.
    After publishing, your application is enabled for SSO. 
  13. Under My Relying Parties, navigate to the newly created one.
  14. In the Edit drop-down list, choose Metadata.

    

Configure PAN-OS

Perform these steps to configure PAN-OS.
Procedure

  1. Log in to the PAN-OS admin web interface with the PAN-OS default admin user or any other admin https://IP-address-of-PANOS.
  2. Navigate to Device > Server Profiles > SAML Identity Provider.
  3. Click Import to create the SAML Identity Provider.
  4. Specify the Profile Name.
  5. Under the Identity Provider Configuration section:
    1. Browse the Identity Provider Metadata file, which we exported from CAS configuration.
    2. Clear the Validate Identity Provider Certificate checkbox.
  6. Click OK.
    The SAML Identity Provider is created and displays the Identity Provider and SSO Service URL details as per the metadata file.
  7. Navigate to Device > Authentication Profile and create a profile as follows:
    1. Under the Authentication Profile > Authentication section, specify the name.
    2. In the Type drop-down list, select SAML.
    3. In the IdP Service Profile drop-down list, select the SAML Identity Provider in the previous steps.
    4. Under User Attributes in SAML Messages, specify email as Username Attribute
  8. Navigate to the Advanced tab and click Add.
  9. Select the user from the list and click OK to complete the Authentication Profile.
  10. Click Commit to save the configurations on PAN-OS. 

The configuration is complete.

Related Articles

Trending Articles

Don't see what you're looking for?