Certified: November 20, 2022
This section describes Palo Alto NGFW integration with RSA SecurID (or ID Plus). Use this information to determine which use case and integration type your deployment will employ.
RSA MFA API (REST) integrations can provide a rich user interface with all RSA SecurID Access features within the partner application. Refer to the Supported Features section in this guide to see which features this partner application has implemented.
RADIUS integrations provide a text driven interface for RSA SecurID Access within the partner application. RADIUS provides support for most RSA SecurID Access authentication methods and flows.
SSO integrations use SAML 2.0 or HFED technologies to direct users’ web browsers to Cloud Authentication Service for authentication. SSO provides Single Sign-On using the IDR My Applications/My Page Portal.
Relying party integrations use SAML 2.0 to direct users’ web browsers to Cloud Authentication Service for authentication. Primary authentication is configurable, so relying party can be a good choice for adding additional authentication (only) to existing deployments.
This section shows all the supported features by integration type and by RSA SecurID Access component. Use this information to determine which integration type and which RSA SecurID Access component your deployment will use. The next section in this guide contains the instruction steps for how to integrate RSA SecurID Access with Palo Alto NGFW using each integration type.
Authentication Methods |
RSA MFA API (REST) |
RADIUS |
Relying Party |
SSO |
RSA SecurID |
- |
|
||
LDAP Password |
- |
|
||
Authenticate Approve |
|
|
||
Authenticate OTP |
|
|
||
Device Biometrics |
- |
|
||
SMS OTP |
- |
|
||
Voice OTP |
- |
|
||
FIDO Security Key |
- |
- |
Authentication Methods |
RSA MFA API (REST) |
RADIUS |
Authentication Agent |
RSA SecurID |
- |
|
- |
Risk Based Authentication |
- |
- |
- |
|
Supported |
-
|
Not Supported |
n/a |
Not Applicable |
n/t |
Not yet tested or documented, but may be possible |
Note: The RSA SecurID Access authentication methods are referred to by different names in the Palo Alto NGFW user interface. Authenticate Approve is referred to as “Push” and Authenticate OTP is referred to as “PIN Code".
This section contains instruction steps that show how to integrate Palo Alto NGFW with RSA SecurID using all of the integration types.
This document is not intended to suggest optimum installations or configurations. It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components.
All RSA SecurID and Palo Alto NGFW components must be installed and working prior to the integration.
All of the supported use cases of RSA SecurID Access with Palo Alto NGFW require both server-side and client-side configuration changes. This section of the guide includes links to the appropriate sections for configuring both sides for each use case.
The following table describes the differences in the terminologies used in the different versions of RSA products and components.
Previous Version |
New Version |
Examples/Comments |
---|---|---|
Company ID | Organization ID | |
Account | Credential | |
Token | OTP Credential |
SecurID OTP Credential |
Tokencode | OTP/Access Code |
SecurID OTP, SMS OTP, Voice OTP Emergency Access Code, Disable Access Code |
Hardware Token | Hardware Authenticator | |
Device Serial Number | Binding ID | |
Device | Credential/Authenticator | |
Device Registration Code | Registration Code | |
Authenticate App | Authenticator App |
Multi-Factor Authentication (REST API) Authentication Methods.
Palo Alto NGFW supports Authenticate Approve and Authenticate OTP authentication methods only. When you select an RSA assurance policy you must ensure that one or both methods will be available at the specified assurance level, or the user will not be able to authenticate.
Configuration for Authentication Manager to have LDAP + Passcode.
Palo Alto in the Configuration used to enable LDAP on Portal and RADIUS in Gateway, in some versions Palo Alto sends the LDAP password to the RSA AM in the RADIUS request as an extra packet + what it sends to the LDAP server, so you will get Passcode Format Error followed by succeeded after RADIUS is completed. It should not lock users as there are no consecutive rejects if the RADIUS timeout is configured correctly.
FIDO Authentication Not Working with Global Protect Embedded Browser.
Palo Alto Global Protect VPN Client does not support FIDO using its own embedded browser, you must follow this Section to use your OS default web browser instead, you can also check this KB for further setup and scenarios.
RSA Authentication Manager 8.7 Patch 1, Virtual Appliance or later
Palo Alto NGFW 10.1.7, Virtual Appliance
RSA Ready certification by Mahmoud Dawoud