What is source of SSO and how to stop it

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

What is source of SSO and how to stop it

L4 Transporter

Domain joined PC, ADFS in environment, Hybrid Azure AD setup, Authentication policy o n Palo setup to use CIE(Cloud Identity Engine) with identities synced from Azure AD and On-Prem AD

When ever I am clearing user ip mapping from the cache and try to test. I can see that authentication policy gets hit as captive portal redirect happens. But it does not prompt for authentication and instead redirects back to the website. 

Firewall shows it learned identity from SSO. I want to block this and want it to trigger authentication.

10.92.16.100 is the firewall management IP

image.png  

1 REPLY 1

L6 Presenter

If you use the CIE with SCIM connector woudn't the CIE just pull the date from Azure AD and then feed it to your firewalls and no matter what you will have user to ip mapping?

 

https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/palo-alto-networks-scim-connector...

 

https://docs.paloaltonetworks.com/cloud-identity/cloud-identity-engine-getting-started/choose-direct...

 

 

Also if you use SAML on the Firewalls the same will happen where when the user Authinticates to the Azure AD with SAML then the SAML Assertion will be just trusted by the firewall when it is signed with the Azure AD SSL cert and this assertion has a username and ad groups atrributes that the Firewall will auto ingest.

 

 

https://docs.paloaltonetworks.com/globalprotect/6-0/globalprotect-app-new-features/new-features-rele...

 

 

Also just in case you need to clear not only the Data plane cache but also the managment plane user-id cache:

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clq8CAC

 

  • 1665 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!