Enabling SSO on Aperture requires information from your IDP. The following section provides details on how to add Aperture as an Application on your IDP and then using information from your IDP to configure SSO on Aperture. Okta is used as IDP.
Starting from PAN-OS 8.0, we have an option to have a secure communication, with the help of certificates, between the firewall and the User-ID Agent.
NOTE: This requires the firewall to be on PAN-OS 8.0 (or later) as well as the User-ID agent to be on 8.0 (or later).
In this process, the UIA (User-ID Agent) will present a certificate to the firewall to validate. The firewall will check this certificate as per the certification profile configured. If it passes all the checks in the certificate profile, the firewall will accept the connection from the UIA. This can ensure safety against "rogue" UIAs.
Here's a step-by-setup walkthrough to configure this:
1. Launch the UIA, you should see a new option called 'Server Certificate':
2. We need to create a new CSR for the UIA and get it signed by either an external CA, in-house CA or a self-signed certificate present in the firewall. (Note: We will need the CA certificate to be present on the firewall so we can use it in the Certificate profile and validate the UIA's certificate).
3. Once we have a certificate, we can import it in the UIA along with its private key. Make sure to commit the configuration.
4. Create a new certificate profile and use the CA used to sign the UIA's CSR.
5. You should see a new tab under Device >User Identification, called 'Connection Security':
6. Choose the certificate profile created in step 4.
7. If the commit goes well, you should see the UIA connected successfully with the firewall.
If an incorrect or no certificate is present on the UIA while Connection Security is enabled on the firewall, you will see the following log entry in the System (and userid) logs:
For the same failure, on the agent, you would see the following logs (under Monitoring->Logs):
Hope this helped. Stay safe!
Our Solutions Engineers in the Live Community present key features in 20 different articles and videos to help you learn about PAN-OS 7.1. This list shows available resources that examine and present key components of this PAN-OS release.
A new PAN-OS 7.1 feature allows customers to add a custom list of domains to use with the sinkhole functionality in the Anti-Spyware Profile. This feature is supported on all PAN-OS devices, including M-100, M-500, and Panorama VM, running PAN-OS 7.1 or later.