topic Re: OKTA SAML panorama authentication? in General Topics

OKTA SAML panorama authentication?

drewdown — Tue, 16 Feb 2021 16:06:53 GMT

Trying to get this working and I am able to authenticate using OKTA SAML via the button on the login screen but when I do (after entering u/p on the OKTA page) it redirects me back to the Panorama login page. I see PAN_AUTH_SCUESS SAML on the CLI but never an 'auth-sucess' in the GUI (Monitor > Logs ? System) because it never actually logs me in. The only thing I see in the GUI when attempting to login via SAML is a saml_client_redirect for that SAML profile when I attempt to use it.

Does anyone have Admin SAML logins to panorama working and if so any idea what is going on here? I dont use GP or captive-portal and I only want this working with admin logins. This is the document I followed: https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-Palo-Alto-Networks-Admin-UI.html

Re: OKTA SAML panorama authentication?

S.Cantwell — Wed, 17 Feb 2021 12:40:14 GMT

SAML will work with web gui based logins, as we use it for authentication to our lab/demo equipment, as we mock up different configurations.

If I understood your comment, you see the SAML redirect (in the webpage) but does not go any further. If you are seeing this, then SAML may not be configured correctly or there is some other message.

My recommendation for you to do, is to get into CLI and run the below commands and then follow an authentication attempt for your user:

one command could be

test mfa-vendors mfa-server-profile <profile name>

another command you could run also is

tail follow yes mp-log authd.log

You would be looking for something like this...

Re: OKTA SAML panorama authentication?

drewdown — Wed, 17 Feb 2021 14:09:55 GMT

I see the redirect page, I login using my SAML u/p and then it redirects me back to the panorama login screen. I have done all those commands and have a case open with support who were less than helpful so I figured I would ask here.

For instance I test that SAML profile from the CLI and it spits out the test URL: https://<panIP>:443/SAML20/SP/TEST which when pasting into a browser opens up an OKTA authentication window, I login and it says 'signing into the Palo Alto Networks UI' or something along those lines and its back to the login screen. So authentication works it just doesn't work to actually login to panorama.

From the logs I see PAN_AUTH_SUCCESS SAML response and redirects but again it just doesn't log me in. I would copy/paste the output but not really sure what is considered sensitive in those logs.

Re: OKTA SAML panorama authentication?

S.Cantwell — Wed, 17 Feb 2021 18:32:00 GMT

Have you considered trying to use 2FA for authentication vs exlcusively SAML?

For example... we use LDAP as our first factor, and then Okta as our 2nd factor.

We authenticate first to the Panorama using , then put in Okta creds, with the popup window and then I can log in.

Re: OKTA SAML panorama authentication?

drewdown — Thu, 18 Feb 2021 14:00:43 GMT

No because I wanted to get SAML working first but DUO MFA is on the roadmap once we got SAML working.

Either way it shouldn't matter what number of authentication methods I choose it should still log me into the panorama. Whether I am using, local, LDAP, OKTA, SAML is irrelevant as those are simply authentication methods. LDAP and local works, SAML does not.

Re: OKTA SAML panorama authentication?

Zboncak — Thu, 18 Feb 2021 17:57:12 GMT

Log in to the Panorama that manages Prisma Access and configure the SAML signing certificate that you want to use with SAML 2.0. ... Configure SAML Authentication for Prisma Access Using Okta With the Prisma Access App Select. Device. ... Click. Generate. ... Select the certificate, then click. ... Export the certificate in PEM format.

TellSubway