This section describes how to integrate Palo Alto NGFW with RSA Cloud Authentication Service using IDR SSO.

Configure RSA Cloud Authentication Service

Perform these steps to configure RSA Cloud Authentication Service for IDR SSO.

Procedure 

1. Navigate to the RSA Cloud Admin Console > Applications > Applications Catalog, search by Palo Alto > Add according to your need. (All 3 will have the same Starter SAML Configuration).
   
2. In Basic Information, choose Identity Router > Next Step.
   
3. Go to Connection Profile, choose SP-initiated, and input the URL as per the below format:
   Connection URL: https://<FQDN or IP>
   
4. In the Binding Method for SAML Request section, you can choose to validate the SP SAML request signatures by importing the corresponding certificate if Palo Alto was configured to sign the SAML requests.
   
5. In the Identity Provider section, You can choose to send the Identity String as the entity ID by default or override to use the whole URL as per below:
   
6. For the SAML Response Signature, you can choose whether RSA will sign the whole response or only the assertion. You can also Override the certificate/private key used for the SAML Response signature as well instead of using the Generate Cert Bundle option as per your need.
   
7. In the Service Provider details, fill the input according to the below URL formats:
   ACS URL: https://<FQDN or IP>:443/SAML20/SP/ACS
   Service Provider Entity ID: https://<FQDN or IP>:443/SAML20/SP
   
8. In the User Identity section, use the identifier type as transient and map it to SAML/AccountName/Mail/UPN according to your need.
   
9. In the Statement Attributes section, make sure to match the Attribute Name with what is configured on the Palo Alto NGFW SAML configuration. You can send adminrole to give authorization to the users, also group to return the groups the user is part of you can also configure Access Domain Attribute if needed from the Palo Alto side. Afterward, click Next Step.
   
10. You can choose to sign the assertion within the SAML response or sign the whole SAML response as per your need.
    
11. Choose your policy to be applied from the RSA Cloud Console configured from Access > Policies.
    
12. Navigate to the Portal Display, do not mark on Display in Portal as Palo Alto NGFW doesn’t support IdP-initiated SSO.
    
13. Next in the My Applications > Export Metadata.
    

Configure Palo Alto NGFW

Perform these steps to configure Palo Alto NGFW for IDR SSO.

Procedure

1. Login to the Palo Alto Admin UI > Device > SAML Identity Provider > Import and import the Metadata collected previously from RSA Cloud Console Configuration.
   
2. Click on the Imported data, if you have configured RSA Cloud Console to expect Palo Alto to Sign SAML Requests, then you must choose to Sign SAML Message to IDP as per below.
   
3. Create an Authentication Profile associated with the created SAML Identity Provider created above by going to Device > Authentication Profile.
   
   Note: Certificate Profile is being used to validate the IdP SAML certificate. This is a must if you have chosen to validate the IdP certificate from SAML Identity Provider Configuration. Thus, you need to have a certificate profile having the CA certificate(s) that signed the IdP certificate for Palo Alto NGFW to trust it.
   
   
   
4. Next in the Authentication Profile > Advanced tab will have the users that will be permitted to use this profile.
   
5. For Global Protect VPN Related configuration using the FIDO method for SAML Authentication, check this Section.

Configuration is complete.

Return to the main page .