This article describes how to integrate Palo Alto NGFW Global Protect with RSA Cloud Access Service (CAS) using Relying Party.

Configure CAS

Perform these steps to configure CAS using the Relying Party.

Procedure

1. Sign in to RSA Cloud Administration Console.
2. Click Authentication Clients > Relying Parties.
   
3. On the My Relying Parties page, click Add a Relying Party.
4. On the Relying Party Catalog page, click Add for Service Provider SAML. 
   
5. On the Basic Information page, enter the name for the application in the Name field.
6. Click Next Step.
   
7. On the Authentication page, choose RSA manages all authentication.
8. In the 2.0 Access Policy for Authentication drop-down list, select a policy that was previously configured, and then select Next Step.
   
9. Under Data Input Method, choose Enter Manually.
10. Scroll down to the Service Provider section. The following fields should be in the following format:
    1. Assertion Consumer Service (ACS) URL: https://<FQDN or IP>:443/SAML20/SP/ACS
    2. Service Provider Entity ID: https://<FQDN or IP>:443/SAML20/SP
       
11. Under the Message Protection section, choose IdP signs entire SAML response.
    
12. Scroll down to the User Identity section and select the following:
    1. Identifier Type: unspecified
    2. Property: mail
       
       
13. In the Statement Attributes section, make sure to match the Attribute Name with what is configured in Palo Alto NGFW SAML. You can send adminrole to give authorization to the users, also group to return the groups the user is part of. You can also configure Access Domain Attribute if needed from the Palo Alto side. 
14. Click Next Step.
    
15. Click Save and Finish.
16. Click Publish Changes and wait for the operation to be completed.
    Your application is now enabled for SSO. 
17. Under My Relying Parties, navigate to the newly created one.
18. In the Edit drop-down list, choose Metadata.
      

Configure Palo Alto NGFW Global Protect

Perform these steps to configure Palo Alto NGFW Global Protect.

Procedure 

1. Log in to the Palo Alto Admin UI and navigate to Device > SAML Identity Provider > Import.
2. Import the metadata downloaded earlier from RSA and click OK.
   
3. Click the imported Identity Provider Server profile and verify its details.
4. Click OK.
   
5. In the left pane, click Authentication Profile. A SAML Authentication Profile will be created and tied to the SAML Identity Provider Server created earlier. 
   
6. On the Authentication Profile section:
   1. In the Type drop-down list, choose SAML.
   2. In the IdP Server Profile drop-down list, choose the IdP Server Profile that was created earlier.
   3. Under User Attributes in SAML Messages from IDP, choose the same attributes used in RSA. 
      
7. Navigate to the Advanced tab.
   It displays the users who will be permitted to use this profile. 
   
8. To configure Global Protect, navigate to Network > Global Protect > Portals and click Add to add a new Global Protect Portal or open an existing portal and edit the Authentication settings of the portal.
9. On the Global Protect Portal Configuration page, navigate to Authentication and click Add under Client Authentication.
   
10. On the Client Authentication screen, choose a name, and in the Authentication Profile drop-down list, choose the profile that was created earlier.
11. On the Allow Authentication with User Credentials OR Client Certificate drop-down list, choose Yes.
    
12. To apply the RSA Authentication on the gateway also:
    1. Go to Network > Global Protect > Gateways > click Add to add a new Global Protect gateway or open an existing gateway and edit the Authentication settings of the gateway.
    2. On the Global Protect Gateway Configuration page, navigate to Authentication and click Add under Client Authentication.
    3. Choose a pre-created SSL/TLS Service profile created for the environment. 
       
13. On the Client Authentication page, choose a name, and in the Authentication Profile drop-down list, choose the profile that was created earlier.
14. In the Allow Authentication with User Credentials OR Client Certificate drop-down list, choose Yes.
    

The configuration is complete.