How to Configure SAML 2.0 for Palo Alto Networks – Prisma Access

Read this before you enable SAML


Supported Features

The Okta/Palo Alto Networks – Prisma Access SAML integration currently supports the following features:

For more information on the listed features, visit the Okta Glossary.

Configuration Steps

  1. Sign in to your Panorama account.

  2. Select the DEVICE tab, then select Mobile_User_Template from the Template dropdown.

    Device tab, Mobile_User_Template from Template dropdown

  3. Go to Service Profiles > SAML Identity Provider, then click Import:

    Go to Service Profiles > SAML Identity Provider, then click Import

  4. Enter the following:

    • Profile Name: Enter you preferred profile name.

    • Identity Provider Metadata: Download and save the following. Then click Browse to locate and upload it:

      Sign into the Okta Admin dashboard to generate this value.

    • Make sure that Validate Metadata Signature is unchecked.

    • If you configured a CA-issued certificate and would like to use it as the IdP certificate (see https://developer.okta.com/docs/guides/sign-your-own-saml-csr/overview/), check Validate Identity Provider Certificate. Otherwise, uncheck this option as well. (Note: To validate the IdP certificate, you must specify a Certificate Profile in the Authentication Profile you will setup later in step 5.)

    • Click OK:

    Enter SAML Config Values

  5. Go to Device > Authentication Profile, click Add, then enter the following:

    • Name: Provide a name for the Authentication profile.

    • Type: Select SAML.

    • IdP Server Profile: Select the IdP Server Profile created in step 4.

    • Certificate for Signing Requests: Select None.

    • Certificate Profile: If you are using a CA-issued certificate, add a new certificate profile by following this documentation: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/certificate-management/configure-a-certificate-profile or use existing one. If you are not using a CA-issued certificate, select None. (Note: If you use a certificate profile, be sure that the name of the CA certificate appears in the CA Certificates area. The certificate profile should be set up with the CA that issued the IdP certificate.)

    • Select the Advanced tab in the Authentication Profile, then select the Allow List.

    • Click OK:

    Add a Authentication Profile

  6. Go to Network > GlobalProtect > Portals, then click on your GlobalProtect_Portal:

  7. Go to Network > GlobalProtect > Portals, select your GlobalProtect_Portal

  8. Go to Authentication, then click Add:

  9. Go to Authentication, then click Add

  10. Enter the following:

    • Provide a Name.

    • OS: Optional, the default is Any.

    • Authentication Profile: Select the Authentication profile you configured in step 5.

    • Authentication Message: Optional. The default value is Enter login credentials.

    • Click OK:

    configure the Authentication Profile

  11. Go to Network > GlobalProtect > Gateways, then select your GlobalProtect_External_Gateway:

  12. Go to Network > GlobalProtect > Gateways, then select your GlobalProtect_External_Gateway

  13. Repeat step 7 and step 8 to setup authentication for your Gateway.

  14. To push the configuration to Prisma access, navigate to Panorama, click Commit in the upper-right, and then click Commit and Push:

  15. Go to Panorama, click Commit, then Commit and Push

  16. Done!


SP-initiated SSO

Go to your GlobalProtect Portal