PAN-OS - SAML My Page SSO Configuration - RSA Ready Implementation Guide
7 months ago

This article describes how to integrate PAN-OS with RSA Cloud Access Service (CAS) using My Page SSO.

   

Configure CAS

Perform these steps to configure CAS using My Page SSO.
Procedure 

  1. Sign in to RSA Cloud Administration Console and browse to Applications > Application Catalog.
  2. Click Create from Template and then click Select next to SAML Direct.
  3. On the Basic Information page, choose Cloud.
  4. Enter a name for the application and click Next Step.
  5. On the Connection Profile page, navigate to the Initiate SAML Workflow section and choose IdP-initiated.
  6. Under Data Input Method, choose Enter Manually.
  7. Scroll down to the Service Provider section and enter the values in the following format:
    1. Assertion Consumer Service (ACS) URL: https://<PANOS-hostname OR IP address
    2. Service Provider Entity ID: Enter the same Service Provider Entity ID entered in PAN-OS.
  8. Under the Message Protection section, choose IdP signs entire SAML response.
  9. Under the User Identity section, provide the following values.
    1. Identifier Type: emailAddress
    2. Property: mail

  10. Click Next Step.
  11. On the User Access page, choose the access policy you want to use to determine which users can access the application, and click Next Step.
  12. On the Portal Display page, configure the portal display and other settings.
  13. Click Next Step
  14. On the Fulfillment page, configure your preferred settings or leave the Fulfillment toggle disabled as it is, and click Save and Finish.
  15. Click Publish Changes and wait for the operation to be completed.
    After publishing, your application is enabled for SSO. 
  16. Navigate to the newly created application from Applications > Applications and choose Export Metadata in the Edit drop-down list.
    This metadata will be used later in the PAN-OS configuration.

  

Configure PAN-OS

Perform these steps to configure PAN-OS.
Procedure

  1. Log in to the PAN-OS admin web interface with the PAN-OS default admin user or any other admin https://IP-address-of-PANOS.
  2. Navigate to Device > Server Profiles > SAML Identity Provider.
  3. Click Import to create the SAML Identity Provider.
  4. Specify the Profile Name.
  5. Under the Identity Provider Configuration section:
    1. Browse the Identity Provider Metadata file, which we exported from CAS configuration.
    2. Clear the Validate Identity Provider Certificate checkbox.
  6. Click OK.
    The SAML Identity Provider is created and displays the Identity Provider and SSO Service URL details as per the metadata file.
  7. Navigate to Device > Authentication Profile and create a profile as follows:
    1. Under the Authentication Profile > Authentication section, specify the name.
    2. In the Type drop-down list, select SAML.
    3. In the IdP Service Profile drop-down list, select the SAML Identity Provider in the previous steps.
    4. Under User Attributes in SAML Messages, specify email as Username Attribute
  8. Navigate to the Advanced tab and click Add.
  9. Select the user from the list and click OK to complete the Authentication Profile.
  10. Click Commit to save the configurations on PAN-OS. 

The configuration is complete.

Related Articles

Trending Articles

Don't see what you're looking for?