Certified: December 25, 2025
Solution Summary
This article describes Palo Alto NGFW integration with RSA ID Plus. Use this information to determine which use case and integration type your deployment will employ. The supported use cases are Global Protect, Captive Portal, and Admin UI authentication.
Use Case
Palo Alto NGFW can be integrated with RSA, depending on the use case, using RADIUS, SAML My Page SSO, IDR SSO, SAML Relying Party, and RSA MFA API (REST). When integrated, users must authenticate with RSA to access the applied Palo Alto use case.
Integration Types
RSA MFA API (REST) integrations can provide a rich user interface with all RSA ID Plus features within the partner application. Refer to the Supported Features section in this article to see which features this partner application has implemented.
RADIUS integrations provide a text-driven interface for RSA within Palo Alto NGFW. RADIUS provides support for most RSA authentication methods and flows.
Relying Party integrations use SAML 2.0 to direct users’ web browsers to CAS for authentication. With Relying Party integration, CAS can manage either additional authentication only or both primary authentication (for example, user ID and password) and additional authentication, depending on the service provider's capability.
SSO integrations use SAML 2.0 or HFED technologies to direct users' web browsers to Cloud Access Service (CAS) for authentication. SSO provides Single Sign-On using the IDR My Applications/My Page Portal. My Page SSO provides Single-Sign-On to Palo Alto NGFW users leveraging the RSA self-service portal, My Page.
Existing SSO integrations using IDR My Applications continue to be supported and will be listed in this document as applicable.
Note: RSA will continue to maintain existing SAML SSO integrations using IDR My Applications. At a to-be-determined future date, RSA will announce the end-of-life (EOL) date for the SAML SSO support with the IDR. For more information Available Now: My Page SSO Enhancements.
Supported Features
This section shows all the supported features by integration type and by RSA components. Use this information to determine which integration type and RSA component your deployment will use. The next section in this guide contains the instruction steps for how to integrate RSA with Palo Alto NGFW using each integration type.
Palo Alto NGFW with CAS
| Authentication Methods | RSA MFA API (REST) | RADIUS | Relying Party | SSO |
| Approve | ||||
| LDAP Password | - | - | ||
| SecurID OTP | - | |||
| Authenticate OTP | ||||
| Device Biometrics | - | |||
| SMS OTP | - | |||
| Voice OTP | - | |||
| FIDO Security Key | - | - | ||
| QR Code | - | - | ||
| Emergency Access Code | - |
Palo Alto NGFW Integration with RSA Authentication Manager (AM)
| Authentication Methods | RSA MFA API (REST) | RADIUS | Authentication Agent |
|---|---|---|---|
| RSA SecurID | - | - | |
| On Demand Authentication | - | - | - |
| Risk-Based Authentication | - | - | - |
| Supported | |
| - | Not supported |
| n/t | Not yet tested or documented, but may be possible |
| n/a | Not applicable |
Configuration Summary
This section contains instruction steps that show how to integrate Palo Alto NGFW with RSA using all of the integration types.
This document is not intended to suggest optimum installations or configurations. It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products to install the required components.
All RSA and Palo Alto NGFW components must be installed and working prior to the integration.
This section of the guide includes links to the appropriate sections for configuring both sides for each use case.
Integration Configuration
CAS
Global Protect
- Palo Alto NGFW Global Protect - SAML My Page SSO Configuration - RSA Ready Implementation Guide
- Palo Alto NGFW 10.1.7 - SAML IDR SSO Configuration - RSA Ready Implementation Guide
- Palo Alto NGFW Global Protect - SAML Relying Party Configuration - RSA Ready Implementation Guide
- Palo Alto NGFW Global Protect - RADIUS Configuration in Cloud Access Service- RSA Ready Implementation Guide
Captive Portal
- Palo Alto NGFW 10.1.7 - REST API Configuration - RSA Ready Implementation Guide
- PAN-OS - RSA Ready Implementation Guide
Admin UI
AM
Global Protect
- Palo Alto NGFW 10.1.7 - RADIUS Configuration - RSA Ready Implementation Guide
- How to Configure Palo Alto Global Protect VPN to support RSA AM to be LDAP + Passcode
Admin UI
References
RSA Terminology Changes
The following table describes the differences in the terminologies used in the different versions of RSA products and components.
| Previous Version | New Version | Examples/Comments |
| Cloud Authentication Service | Cloud Access Service | |
| Token | OTP Credential | SecurID OTP Credential |
| Authenticator | Hardware Authenticator | |
| Tokencode | OTP | SecurID OTP, SMS OTP, Voice OTP |
| Access Code | Emergency Access Code | |
| SecurID Authenticate app | RSA Authenticator app | RSA Authenticator app for iOS and Android, RSA Authenticator app for Windows |
| Device | Authenticator | Register an authenticator |
| Company ID | Organization ID | |
| Account | Credential | |
| Device Serial Number | Binding ID |
Certification Details
CAS
AM 8.7 Patch 1, Virtual Appliance or later
Palo Alto NGFW 11.1.10
Known Issues
Multi-Factor Authentication (REST API) Authentication Methods.
Palo Alto NGFW supports Authenticate Approve and Authenticate OTP authentication methods only. When you select an RSA assurance policy you must ensure that one or both methods will be available at the specified assurance level, or the user will not be able to authenticate.
Configuration for Authentication Manager to have LDAP + Passcode.
Palo Alto, in the Configuration used to enable LDAP on Portal and RADIUS in Gateway, in some versions, Palo Alto sends the LDAP password to the RSA AM in the RADIUS request as an extra packet + what it sends to the LDAP server, so you will get Passcode Format Error followed by succeeded after RADIUS is completed. It should not lock users, as there are no consecutive rejects if the RADIUS timeout is configured correctly.
FIDO Authentication Not Working with Global Protect Embedded Browser.
Palo Alto Global Protect VPN Client does not support FIDO using its own embedded browser; you must follow this Section to use your OS default web browser instead. You can also check this KB for further setup and scenarios.
