Palo Alto NGFW Global Protect - SAML My Page SSO Configuration - RSA Ready Implementation Guide
17 days ago
Originally Published: 2023-03-29

This article describes how to integrate Palo Alto NGFW Global Protect with RSA Cloud Access Service (CAS) using My page SSO.

    

Configure CAS

Perform these steps to configure CAS for My Page SSO.

Procedure

  1. Sign in to RSA Cloud Administration Console and browse to Applications > Application Catalog.
  2. Search for Palo Alto Networks - Captive Portal, and then click Add
  3. On the Basic Information page, choose Cloud.
  4. Enter the name for the application and click Next Step.
  5. On the Connection Profile page, navigate to the Initiate SAML Workflow section and choose IdP-initiated.
  6. Under Data Input Method, choose Enter Manually.
  7. Scroll down to the Service Provider section. The following fields should be in the following format:
    1. Assertion Consumer Service (ACS) URL: https://<FQDN or IP>:443/SAML20/SP/ACS
    2. Service Provider Entity ID: https://<FQDN or IP>:443/SAML20/SP
  8. Under the Message Protection section, choose IdP signs assertion within response.
  9. Under the User Identity section, select unspecified as Identifier Type and mail as Property.
  10. In the Statement Attributes section, make sure to match the Attribute Name with what is configured in the Palo Alto NGFW SAML configuration. You can send adminrole to give authorization to the users, also group to return the groups the user is part of. You can also configure Access Domain Attribute if needed from the Palo Alto side.
     
  11. Click Next Step.
  12. On the User Access page, choose the access policy you want to use to determine which users can access the application, and then click Next Step.
  13. On the Portal Display page, configure the portal display and other settings.
  14. Click Next Step.
  15. On the Fulfillment page, configure your preferred settings or leave the Fulfillment toggle disabled as it is.
  16. Click Save and Finish.
  17. Click Publish Changes and wait for the operation to be completed.
    Your application is now enabled for SSO. 
  18. Navigate to the newly created application from Application.
  19. In the Edit drop-down list, choose Export Metadata. This metadata will be used later in the Palo Alto configuration.

    

Configure Palo Alto NGFW Global Protect

Perform these steps to configure Palo Alto NGFW Global Protect.

Procedure 

  1. Log in to the Palo Alto Admin UI and navigate to Device > SAML Identity Provider > Import.
  2. Import the metadata downloaded earlier from RSA and click OK.
  3. Click the imported Identity Provider Server profile and verify its details.
  4. Click OK.
  5. In the left pane, click Authentication Profile. A SAML Authentication Profile will be created and tied to the SAML Identity Provider Server created earlier. 
  6. On the Authentication Profile section:
    1. In the Type drop-down list, choose SAML.
    2. In the IdP Server Profile drop-down list, choose the IdP Server Profile that was created earlier.
    3. Under User Attributes in SAML Messages from IDP, choose the same attributes used in RSA. 
  7. Navigate to the Advanced tab.
    It displays the users who will be permitted to use this profile. 
  8. To configure Global Protect, navigate to Network > Global Protect > Portals and click Add to add a new Global Protect Portal or open an existing portal and edit the Authentication settings of the portal.
  9. On the Global Protect Portal Configuration page, navigate to Authentication and click Add under Client Authentication.
  10. On the Client Authentication screen, choose a name, and in the Authentication Profile drop-down list, choose the profile that was created earlier.
  11. On the Allow Authentication with User Credentials OR Client Certificate drop-down list, choose Yes.
  12. To apply the RSA Authentication on the gateway also:
    1. Go to Network > Global Protect > Gateways > click Add to add a new Global Protect gateway or open an existing gateway and edit the Authentication settings of the gateway.
    2. On the Global Protect Gateway Configuration page, navigate to Authentication and click Add under Client Authentication.
    3. Choose a pre-created SSL/TLS Service profile created for the environment. 
  13. On the Client Authentication page, choose a name, and in the Authentication Profile drop-down list, choose the profile that was created earlier.
  14. In the Allow Authentication with User Credentials OR Client Certificate drop-down list, choose Yes.

 

The configuration is complete.

Related Articles

Trending Articles

Don't see what you're looking for?