Tutorial: Azure AD SSO Integration with Palo Alto Networks - Admin UI - Microsoft Inside (2023)

This tutorial shows you how to integrate Palo Alto Networks - Admin UI with Azure Active Directory (Azure AD). When you integrate Palo Alto Networks - Admin UI with Azure AD, you can:

• Control who has access to the Palo Alto Networks - Admin UI in Azure AD.
• Allow your users to automatically sign in to the Palo Alto Networks - Admin UI with their Azure AD accounts.
• Manage your accounts in one place - the Azure portal.

requirements

To get started, you will need the following items:

• An Azure AD subscription. If you don't have a subscription, you canfree account.
• Palo Alto Networks: Subscription with single sign-on (SSO) enabled for the administration UI.
• The prerequisite is that the service is publicly accessible. consultHepage for more information.

scenario description

In this tutorial, you'll set up and test Azure AD single sign-on in a test environment.

• Palo Alto Networks: Admin UI SupportSPSSO started.
• Palo Alto Networks: Admin UI SupportJust in timeuser provisioning.

Add Palo Alto Networks - Admin UI from Gallery

To configure Palo Alto Networks - Admin UI integration with Azure AD, you must add Palo Alto Networks - Admin UI to your list of managed SaaS apps from the gallery.

1. Sign in to the Azure portal with a work, school, or personal Microsoft account.
2. In the left navigation pane, select theAzure Active DirectoryService.
3. navigate tobusiness applicationsand then selectAll applications.
4. To add a new app, selectNew app.
5. SoyAdd from gallerysection artPalo Alto Networks - Admin UIin the search field.
6. ChoosePalo Alto Networks - Admin UIfrom the results pane, and then add the app. Wait a few seconds while the app is added to your tenant.

Alternatively, you can also use theEnterprise Application Setup Wizard. In this wizard, you can add an app to your tenant, add users/groups to the app, assign roles, and go through the SSO setup.Learn more about Microsoft 365 Assistants.

Configure and test Azure AD SSO for Palo Alto Networks - Administration UI

In this section, you will configure and test Azure AD single sign-on with Palo Alto Networks - Management UI based on a test user namedB. Simon. For single sign-on to work, a bind relationship must be established between an Azure AD user and the associated user in the Palo Alto Networks - Admin UI.

Follow these steps to configure and test Azure AD SSO with Palo Alto Networks - Admin UI:

1. Configure Azure AD SSO- to allow your users to use this feature.
   1. Create an Azure AD test user- to test Azure AD single sign-on with B.Simon.
   2. Assign the Azure AD test user- to allow B.Simon to use Azure AD single sign-on.
2. Configure Palo Alto Networks - Administrator UI SSO- to configure single sign-on settings on the application side.
   1. Create Palo Alto Networks: admin IU test user- have a counterpart to B.Simon in Palo Alto Networks - admin UI tied to the Azure AD representation of the user.
3. test SSO- to check if the configuration works.

Configure Azure AD SSO

Follow these steps to enable Azure AD SSO in the Azure portal.

1. In the Azure portal on thePalo Alto Networks - Admin UIapplication integration page see theManagesection and selectsingle record.

2. About himChoose a single sign-on methodpage, selectSAML.

3. About himConfiguring single sign-on with SAMLpage, click the pencil icon toBasic SAML Configurationto edit the configuration.

   

4. About himBasic SAML Configurationsection, do the following:

   AimidentifierEnter a URL like this:https://<Firewall-Kunden FQDN>:443/SAML20/SP

   B. I amreply urlIn the text box, enter the URL of the Assertion Consumer Service (ACS) in the following format:https://<Firewall-Kunden FQDN>:443/SAML20/SP/ACS

   C. I amreview urlIn the text box, enter a URL like this:https://<Kunden-Firewall-FQDN>/php/login.php

   use

   These values ​​are not real. Update these values ​​with the actual identifier, reply URL, and login URL. ContactPalo Alto Networks – Admin-UI-Client-Supportteamto get these values. You can also refer to the patterns shown inBasic SAML ConfigurationSection in the Azure portal.

   Port 443 is required on theidentifierand thereply urlas these values ​​are hardcoded in the Palo Alto firewall. Removing the port number will cause the login to fail if it is removed.

   Port 443 is required on theidentifierand thereply urlas these values ​​are hardcoded in the Palo Alto firewall. Removing the port number will cause the login to fail if it is removed.

5. The Palo Alto Networks - Admin UI app expects SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attribute configuration. The following screenshot shows the list of default attributes.

   

   use

   Because the attribute values ​​are just examples, map the appropriate values ​​forUsernameYadmin role. There is another optional attribute,access domain, which is used to restrict administrator access to specific virtual machines on the firewall.

6. In addition to the above, the Palo Alto Networks - Admin UI application expects a few more attributes to be returned in the SAML response, shown below. These attributes are also pre-populated, but you can revise them according to your needs.

   Name	that attribute
   Username	user.userprincipalname
   admin role	user manager

   use

   HeNameValue, shown above asadmin role, must have the same value as theAdministradorrollenatributo, which is configured in step 12 of theConfigure Palo Alto Networks - Administrator UI SSOSection. Hethat attributeValue, shown above asuser manager, must have the same value as theAdmin role profile name, which is configured in step 9 ofConfigure Palo Alto Networks - Administrator UI SSOSection.

   use

   For more information on attributes, see the following articles:

   • Admin role profile for the admin user interface (adminrole)
   • Device Access Domain for Management UI (Access Domain)

7. About himConfiguring single sign-on with SAMLpage on whichSAML signing certificatesection, clickDescargarto download thefederation metadata xmlfrom the given options as per your needs and save it to your computer.

   

8. About himConfigure Palo Alto Networks - Admin UIcopy the appropriate urls according to your needs.

   

Create an Azure AD test user

In this section, you'll create a test user named "B.Simon" in the Azure portal.

1. Select in the left pane of the Azure portalAzure Active Directory, chooseuserand then selectAll users.
2. ChooseNew userat the top of the screen.
3. Soyuserproperties, follow these steps:
   1. SoyNamefield, enterB. Simon.
   2. SoyUsernameIn the field, enter username@companydomain.extension. For example,B.Simon@contoso.com.
   3. ChooseShow passwordcheck box, and then note the value that appears inpasswordBox.
   4. ClickCreate.

Assign the Azure AD test user

In this section, you allow B.Simon to use Azure Single Sign-On by granting access to the Palo Alto Networks - Admin UI.

1. Select in the Azure portalbusiness applicationsand then selectAll applications.
2. Select from the list of applicationsPalo Alto Networks - Admin UI.
3. On the application overview page, you will find theManagesection and selectUsers and Groups.
4. Chooseadd user, then selectUsers and Groupssoyadd orderDialogue.
5. SoyUsers and Groupsdialog, selectB. Simonfrom the list of users, and then clickChoosebutton at the bottom of the screen.
6. If you expect users to be assigned a role, you can select it in thechoose a rolethe drop down list. If no role has been configured for this application, you will see that the Default Access role is selected.
7. Soyadd orderdialog box, click theAssign toGusto.

Configure Palo Alto Networks - Administrator UI SSO

1. Open the Palo Alto Networks Firewall Manager UI as an administrator in a new window.

2. ChooseDeviceEyelash.

   

3. Select in the left panelSAML identity providerand then selectMatterto import the metadata file.

   

4. SoyImporting SAML Authentication Provider Server Profileswindow, do the following:

   

   Aimname of profileenter a name (eg.AzureAD Admin UI).

   More colorfulIdentity provider metadata, chooselook forand select the metadata.xml file that you previously downloaded from the Azure portal.

   C. Delete theValidate the identity provider certificatecheckbox

   D. ElijahOK.

   my. To send the settings to the firewall, selectCommit.

5. Select in the left panelSAML identity provider, and then select the SAML identity provider profile (for example,AzureAD Admin UI) that you created in the previous step.

   

6. SoySAML Identity Provider Server Profilewindow, do the following:

   

   AimIdentity Provider SLO URLIn the field, replace the previously imported SLO URL with the following URL:https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0

   B dialOK.

7. In the Palo Alto Networks Firewall Manager user interface, selectDeviceand then selectadmin roles.

8. ChooseaddGusto.

9. SoyAdministrator role profilewindow inNameIn the field, provide a name for the admin role (for example,fwadmin). The admin role name must match the SAML admin role attribute name sent by the identity provider. The admin role name and value were created inuser attributesSection in the Azure portal.

   

10. In the firewall manager user interface, selectDeviceand then selectauthentication profile.

11. ChooseaddGusto.

12. Soyauthentication profilewindow, do the following:

    

    AimNameenter a name (eg.AzureSAML_Admin_AuthProfile).

    B. I amTypeselect drop down listSAML.

    C. I amIdP server profileSelect the appropriate SAML identity provider server profile from the dropdown list (for example,AzureAD Admin UI).

    D. ElijahEnable single sign-outcheckbox

    my. In itAdministradorrollenatributoIn the field, enter the name of the attribute (eg.admin role).

    F. ElijahProgressivetab and then underallow list, chooseadd.

    

    Mr. ElijahinCheck the box or select the users and groups that can authenticate with this profile.
    When a user authenticates, the firewall compares the associated username or group with the entries in this list. If you don't add entries, no user can authenticate.

    H. ElijahOK.

13. Select to allow administrators to use SAML SSO using AzureDevice>Setting. SoySettingarea, choose theManagementtab and then underauthentication settings, chooseIdeasbutton ("Gear").

    

14. Select the SAML authentication profile that you created in the Authentication Profile window (for example,AzureSAML_Admin_AuthProfile).

    

15. ChooseOK.

16. To apply the settings, selectCommit.

Create Palo Alto Networks: admin IU test user

Palo Alto Networks: Admin UI supports just-in-time user provisioning. If there is no user yet, it will be automatically created in the system after successful authentication. No action is required on your part to create the user.

test SSO

In this section, you'll test your Azure AD single sign-on setup with the following options.

• Click ontry this appin the Azure portal. This will redirect to the Palo Alto Networks - Admin UI Login URL, where you can start the login flow.

• Go directly to Palo Alto Networks - Admin UI Login URL and start the login process from there.

• You can use My Microsoft Apps. When you click Palo Alto Networks - Admin UI under My Apps, you should be automatically logged in to the Palo Alto Networks - Admin UI for which you configured SSO. For more information on My Apps, seeIntroduction to My Apps.

Next steps

Once you've configured the Palo Alto Networks - Administrator User Interface, you can apply session control, which protects your organization's sensitive data from leaking and infiltration in real time. Session control extends beyond conditional access.Learn how to apply session control with Microsoft Defender for cloud applications.