Enabling SSO on Aperture requires information from your IDP. The following section provides details on how to add Aperture as an Application on your IDP and then using information from your IDP to configure SSO on Aperture. Okta is used as IDP.
You should have a working knowledge of:
Active Directory User-id feature on the Palo Alto Networks firewall
The information in this document is based on these software and hardware versions:
Palo Alto Networks VM firewall running PANOS 7.1 Active Directory Services running on Microsoft 2012 r2 server, configured as a Domain controller
The information in this document was created from the devices in a specific lab environment. If your network is live, make sure that you understand the potential impact of any command.
Palo Alto Networks firewall uses the domain map to store the fully qualified active directory domain name (fqdn) and its equivalent netbios domain (netbios name). It's used to normalize or convert the username and groupnames from FQDN to their corresponding netbios domain name format.
For example, consider the domain 'paloaltonetworks.com' as the fqdn, then its equivalent netbios domain name is 'paloaltonetworks'
In an active directory environment a user which is a member of this domain will have its username as paloaltonetworks\username.
Let us take a deeper look as to how the firewall retrievesthe netbios domain name from active directory domain controllers, populate the domain map and then use it for conversion of fqdn to netbios name.
For the sake of simplicity and ease of illustration we'll break the work flow into three phases.
PHASE 1 Retrieving the netbios domain name
Firewall sends the request for the netbiosname domain name while sending the LDAP partition query during LDAP refresh , populates it’s domain map and writes this entry into the dnsnetbios.map file
Fetched through 389/636 LDAP connection (not Global Catalog one's - 3268 or 3269)
All Domain Controllers should have this info
Location: LDAP://CN=Partitions,CN=Configuration,DC=<DomainName>, DC=<local|com>
ADSI Edit: Connect to "Configurations“ (ADSI - Active Directory Service Interfaces)
Here's the LDAP partition query response from the active directory domain controller to the firewall showing the :
Target of the query - CN=Partitions,CN=Configuration,DC=test,DC=kunaldc,DC=com
FQDN - 'test.kunaldc.com'
Netbios domain name - 'test'
PHASE 2 Storing the netbios domain name
The ‘dnsnetbios.map’ file which contains the fqdn and it's netbios domain name is stored internally in the linux based directory structure on the firewall
You can view the domain-map from the command line of the firewall using 'debug user-id dump domain-map'
The domain map persists a device reload, even when you’ve deleted the group mapping profile for a respective domain
Along with this any netbios domain name once learnt on the firewall continues to persist unless explicitly removed via the cli command ‘debug user-id clear domain-map’
PHASE 3 Apply the netbios domain name to user groups and members of these groups
The objective of the netbios name is to
1. Convert 'fqdn\username' formats to netbios domain name i.e. 'netbios\username' format
Eg: Username test is a member of the active directory domain 'test.kunaldc.com' It's fqdn name format is 'test.kunaldc.com\testuser'
Once the firewall learns about the netbios name of the active directory domain then it will convert all the fqdn username format to netbios name formats
Hence the fqdn username format of 'test.kunaldc.com\testuser' is converted to 'test\testuser'
2. Normalize the groups from full dn to short name format
In absence of the domain maps all AD groups are recognized in their full domain name format
A group named sme_group whose full dn name format is 'cn=sme_group, ou=tier2,ou=networking,ou=apac,ou=tac2,dc=test,dc=kunaldc.com,dc=com' is converted into 'test\sme_group'
Simialrly, the user which is a member of sme_group and the active directory domain 'test.kunaldc.com' is also transformed from 'test.kunaldc.com\testuser' to 'test\testuser'
1. PAN firewall applies the normalization on the users retrieved from ip-user mapping mechanisms (using methods such as - userid agent, agentless, syslog,xmlapi etc) as well as the users retrieved from active directory domain controllers using LDAP
2. Domain map is not synchronized between the active and passive firewalls in an Active-Passive HA setup The passive device must at some point serve as an active device in the HA in order to connect to the active directory server to fetch the netbios domain name via the ldap partition query
In PAN-OS, we can create address objects which can be further grouped into address groups. The most common method is to use a 'static' type address group. However, the 'dynamic' type address group allows for slight ease of management along with scalability.
Review the example below of a list of address objects:
Notice the tag on some objects. This will be relevant later.
Now, if we were to create a static address object, we'd choose the ones we want to add.
This is perfectly fine for use in policies, but imagine, having to manage hundreds (if not thousands) of address objects with constant additions/deletions etc.
Note: For every address object you add/remove, you would have to include/exclude that in each address group, where that address object would be used. This can become cumbersome quite easily and makes the configuration prone to (manual) errors.
This is where 'Dynamic' address groups can shine.
With the use of tags when defining the address objects, we can do a simple match criteria for creating an address group. This is much more flexible since any addition/deletion only requires the change on the address objects part. The groups can remain untouched!
Let's look at the following demonstration.
Using the same address objects list as before, we'll create a Dynamic address group.
Commit the changes and then click on 'more' to the entries in the group:
Only the objects with tags specified as 'Intranet' got included in this group
This is where the tags become useful. For this implementation of dynamic address group, make sure to create an address object (or groups too, if you wish to use group within another group) with one or more tags.
You can type in a new tag or choose an already created one using the drop-down option.
You can create tags on the fly, (see above image) or via Objects->Tags
Moreover, we can have nested address groups with little to no additional overhead, other than adding/removing/editing the objects themselves.
Hopefully, this document helped you in making a smarter and more efficient configuration design.