https://live.paloaltonetworks.com/t5/panorama-discussions/is-panorama-able-to-see-only-the-devices-in-their-country-with/m-p/472313#M795 <P>Hello Community,</P> <P>&nbsp;</P> <P>Customer has 2 Panorama devices in A/P. They have devices on boarded to panorama. The requirement is the specific country will be able to see only the devices in their country with RO access.</P> <P>The Authentication method will be SAML with SSO.</P> <P>Could you please suggest how this could be fulfilled and how many Metadata files and certificates will be required ?</P> <P>Do they need multiple SAML Identity provider and authentication profile configured ?</P> <P>Do they need to assign admin role and access-domain to each authentication profile ?</P> <P>Do they need to add them in sequence in the Panorama--&gt; Management---&gt; Authentication ?</P> <P>&nbsp;</P> <P>They checked following guide :</P> <P><SPAN>Identity Provider Configuration for SAML</SPAN><BR /><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXP" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXP</A><BR /><SPAN>Configure SAML Authentication for Panorama Administrators</SPAN> <BR /><A href="https://docs.paloaltonetworks.com/panorama/10-0/panorama-admin/set-up-panorama/set-up-administrative-access-to-panorama/configure-administrative-accounts-and-authentication/configure-saml-authentication-for-panorama-administrators.html" target="_blank">https://docs.paloaltonetworks.com/panorama/10-0/panorama-admin/set-up-panorama/set-up-administrative-access-to-panorama/configure-administrative-accounts-and-authentication/configure-saml-authentication-for-panorama-administrators.html</A></P> <P>&nbsp;</P> <P>Customer has to provide individual country access to their specific set of firewalls. So they have to create multiple access domain for them.</P> <P>If they go by the document then they have to create multiple authentication profile and add access domain to that.</P> <P>In panorama management setting they can only add a single authentication profile.</P> <P>Also if they add multiple authentication profile per country how many SAML IDP profile they have to create?</P> <P>How many SAML metadata file we need?</P> <P>How to attach multiple authentication profile to panorama management setting?</P> <P>Authentication sequence does not work properly here as per their past experience.</P> <P>&nbsp;</P> <P>Really i m not sure if <SPAN class="Y2IQFc">country-based access control to Panorama is possible</SPAN>.</P> <P>I think that Panorama cannot filter it but i<SPAN class="Y2IQFc"> don't know if we could with the SAML idp.</SPAN></P> <P>&nbsp;</P> <P><SPAN class="Y2IQFc">Many thanks in advance for your reply.</SPAN></P> <P>&nbsp;</P> <P><SPAN class="Y2IQFc">Best regards</SPAN></P> <P>&nbsp;</P> Fri, 11 Mar 2022 14:14:13 GMT RomainCouvreur 2022-03-11T14:14:13Z https://live.paloaltonetworks.com/t5/panorama-discussions/is-panorama-able-to-see-only-the-devices-in-their-country-with/m-p/472313#M795 <P>Hello Community,</P> <P>&nbsp;</P> <P>Customer has 2 Panorama devices in A/P. They have devices on boarded to panorama. The requirement is the specific country will be able to see only the devices in their country with RO access.</P> <P>The Authentication method will be SAML with SSO.</P> <P>Could you please suggest how this could be fulfilled and how many Metadata files and certificates will be required ?</P> <P>Do they need multiple SAML Identity provider and authentication profile configured ?</P> <P>Do they need to assign admin role and access-domain to each authentication profile ?</P> <P>Do they need to add them in sequence in the Panorama--&gt; Management---&gt; Authentication ?</P> <P>&nbsp;</P> <P>They checked following guide :</P> <P><SPAN>Identity Provider Configuration for SAML</SPAN><BR /><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXP" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXP</A><BR /><SPAN>Configure SAML Authentication for Panorama Administrators</SPAN> <BR /><A href="https://docs.paloaltonetworks.com/panorama/10-0/panorama-admin/set-up-panorama/set-up-administrative-access-to-panorama/configure-administrative-accounts-and-authentication/configure-saml-authentication-for-panorama-administrators.html" target="_blank">https://docs.paloaltonetworks.com/panorama/10-0/panorama-admin/set-up-panorama/set-up-administrative-access-to-panorama/configure-administrative-accounts-and-authentication/configure-saml-authentication-for-panorama-administrators.html</A></P> <P>&nbsp;</P> <P>Customer has to provide individual country access to their specific set of firewalls. So they have to create multiple access domain for them.</P> <P>If they go by the document then they have to create multiple authentication profile and add access domain to that.</P> <P>In panorama management setting they can only add a single authentication profile.</P> <P>Also if they add multiple authentication profile per country how many SAML IDP profile they have to create?</P> <P>How many SAML metadata file we need?</P> <P>How to attach multiple authentication profile to panorama management setting?</P> <P>Authentication sequence does not work properly here as per their past experience.</P> <P>&nbsp;</P> <P>Really i m not sure if <SPAN class="Y2IQFc">country-based access control to Panorama is possible</SPAN>.</P> <P>I think that Panorama cannot filter it but i<SPAN class="Y2IQFc"> don't know if we could with the SAML idp.</SPAN></P> <P>&nbsp;</P> <P><SPAN class="Y2IQFc">Many thanks in advance for your reply.</SPAN></P> <P>&nbsp;</P> <P><SPAN class="Y2IQFc">Best regards</SPAN></P> <P>&nbsp;</P> Fri, 11 Mar 2022 14:14:13 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/is-panorama-able-to-see-only-the-devices-in-their-country-with/m-p/472313#M795 RomainCouvreur 2022-03-11T14:14:13Z