Palo Alto Networks

With Delinea as your Privileged Access Service, you can choose single-sign-on (SSO) access to the Palo Alto Networks web applications with SP-initiated SAML SSO for SSO access directly through the Palo Alto Networks web application.

If Palo Alto Networks is the first application you are configuring for SSO through Privileged Access Service, read these topics before you get started:

• Introduction to Application Management

Continue with Palo Alto Networks SSO Requirements

Palo Alto Networks SSO Requirements

Before you can configure Palo Alto Networks for SSO, you need the following:

• An active Palo Alto Networks account that has account administrator rights for your organization.

Adding and Configuring Palo Alto Networks in the Admin Portal

To add and configure Palo Alto Networks in the Admin Portal:

1. In Admin Portal, click Apps, then click Add Web Apps.

   

   The Add Web Apps screen appears.

2. On the Search tab, enter the partial or full application name in the Search field and click the search icon.

   

3. Next to the application, click Add.

4. In the Add Web App screen, click Yes to confirm.

   Admin Portal adds the application.

5. Click Close to exit the Application Catalog.

   The application that you just added opens to the Application Settings page.

   The description of how to choose and download a signing certificate in this document might differ slightly from your experience. See Choose a Certificate File for the latest information.

6. If you want to use a different security certificate, set it under Additional Options.

   See Choose a Certificate File for more information.

7. Click Download Identity Provider Metadata and save it on your computer.

   You will need this file when Configuring SSO for Palo Alto Networks.

8. Keep this browser window open for use later in the configuration process.

Configuring SSO for Palo Alto Networks

The following steps are specific to the Palo Alto Networks application and are required in order to enable SSO for Palo Alto Networks. For information on optional Delinea Admin Portal configuration settings that you may wish to customize for your app, see Optional Configuration Settings.

To configure Palo Alto Networks for SSO:

1. Open a new tab in your web browser.

   It is helpful to open the Palo Alto Networks web application and the Delinea Admin Portal Application Settings window simultaneously to copy and paste settings between the two browser windows.

2. In your web browser, sign in to Palo Alto Networks as Admin.

3. Click on the Device tab and select Server Profiles > SAML Identity Provider from the menu on the left side of the page.

   

4. Click Import at the bottom of the page.

   

5. Enter a Profile Name.

6. (Optional) Select Administrator Use Only if you want only administrators to use SAML SSO.

7. For Identity Provider Metadata, click Browse...

8. Select the Identity Provider Metadata file that you downloaded in Adding and Configuring Palo Alto Networks in the Admin Portal.

9. Palo Alto Networks recommends that you use a CA certificate. If you have one, select Validate Identity Provider Certificate and then refer to Palo Alto Networks documentation to add the certificate and create a Certificate Profile.

   While a less secure method, if you do not have a certificate from a trusted Certificate Authority (CA), unselect Validate Identity Provider Certificate. The default Signing Certificate provided by Privileged Access Service Admin Portal is a self-signed certificate, and not a trusted CA certificate.

10. Select Validate Metadata Signature.

11. In most cases you can leave Maximum Clock Skew (sec) set to the default value, but you can configure the clock skew for your app to whatever you like. The maximum value is the allowed difference in seconds between the system times of the IdP and the firewall at the moment when the firewall validates IdP messages (default is 60; range is 1 to 900). If the difference exceeds this value, authentication fails.

12. Click OK.

13. Select the server profile that you just created.

14. On the Device tab, select Authentication Profile from the menu on the left side of the page.

    

15. Click Add at the bottom of the page.

    

16. Enter a Name for your profile.

17. Select SAML from the Type drop-down list.

18. In the IdP Server Profile drop-down list, select the name of the server profile you just created.

19. Leave Certificate for Signing Requests set to None.

20. (Optional) Select Enable Single Logout if you want users to also log out from Privileged Access Service when they sign out of the Palo Alto Networks app.

21. If you previously selected Validate Identity Provider Certificate when you configured your profile, select your profile in the Certificate Profile field.

    Leave all the attribute values with their default values.

22. Click on the Advanced tab in the Authentication Profile window.

    

23. Add the user, groups, and roles that will use SAML SSO.

24. Click OK.

25. Click the Metadata link in the Authentication column for your profile to download the Service Provider Metadata file that you will need to upload to the Delinea Admin Portal.

26. Configure Palo Alto Networks features to use the Authentication Profile you just created.

    Many of the other features you can configure on the Palo Alto Networks configuration page will ask you to choose an Authentication Profile from the drop-down box. When you see this option, you will always need to choose the profile you created. After you configure each feature you will need to click OK and then click Commit.

    After an Authentication Profile is created for an Administrator, they are no longer able to sign in with their username and password.

27. Return to the browser window you have open to the Application Settings page in the Delinea Admin Portal.

28. Click the Upload SP Metadata button.

29. Select Upload SP Metadata from a file and click Browse.

30. Select the Service Provider Metadata file you downloaded from Palo Alto Networks above.

31. Click OK.

For more information about Palo Alto Networks

Palo Alto Networks Support:

https://live.paloaltonetworks.com/t5/custom/page/page-id/Support

Palo Alto Networks Specifications

Each SAML application is different. The following table lists features and functionality specific to Palo Alto Networks.

Capability	Supported?	Support details
Web browser client	No
Mobile client	No
SAML 2.0	Yes
SP-initiated SSO	Yes
IdP-initiated SSO	No
Force user login via SSO only	Yes	After a user is configured to use SSO, they can only use SSO.
Separate administrator login after SSO is enabled	No	We recommend that you always keep one admin user who does not use SSO.
User or Administrator lockout risk	Yes	We recommend that you always keep one admin user who does not use SSO.
Automatic user provisioning	No
Multiple User Types	Yes	Admin and User.
Self-service password	Yes
Access restriction using a corporate IP range	Yes	You can specify an IP Range in the Admin Portal Policy page to restrict access to the application.