PAN-OS 8.0 introduced a new authentication profile called SAML, but what is so special about it?
Authentication protocols like LDAP, Kerberos and RADIUS have been around since before the dot-com bubble. They are reliable and are common in any network environment but with the emergence of web-based applications, Single Sign-On (SSO) and multi-factor authentication (MFA), they have somewhat fallen behind in flexibility.
In traditional authentication, these protocols cannot be combined so they need to be stacked sequentially, sometimes leading to collisions. SAML solves this problem.
SAML provides a new layer of authentication independent of the backend protocols or, for example, domain membership. It provides a user web-based Single Sign On across multiple entities and also federated identity across multiple Service Providers. Federated identity allows Service providers to refer to a single user even if each Service Provider knows this user differently (eg. LDAP domain A + RADIUS domain B+ LDAP domain C).
To help us get better acquainted to SAML, Vignesh Sathiamoorthy, a Senior Technical Marketing Engineer from our product management team, has been so kind to write up a comprehensive introduction: