- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
03-11-2025 10:53 AM - edited 03-11-2025 11:56 AM
Can someone please tell me if this is possible? This is on 11.1.6. This worked fine in 9.1 on our previous panorama but not working in 11.1.6 on our newer one.
What I need is to be able to allow users to login via SAML and get RO access to panorama and allow them to context switch to the firewalls and get read only there as well. I have SAML auth profile and local admin profile (device-ro-role on each local firewall) to allow device context switching already but unable to make it work. In the past we created the admin profiles and assigned that role to them. But in 11.1.6 I cannot select the admin profiles, they simply don't show up in the drop down menu after selecting the saml auth profile > admin type custom panorama admin and then profile.
Part of this is my mistake, I had to change the admin profile to panorama which allowed me to select it. But when I do that and add the device admin role (which is configured on all the firewalls) and then login using my SAML account I get admin access and when I try to context switch it tells me 'Device Admin Role for this role based admin has not been defined.' So this is broken as its not giving me read only access and its not allowing me to context switch.
PAN admin role:
Local device role (pushed via global template):
04-01-2025 09:15 PM
Hello @drewdown
It is documented in the KB https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004LlvCAE&lang=en_US%E2%80%A...
Olivier
PCSNE - CISSP
Best Effort contributor
Check out our PANCast Channel
Disclaimer : All messages are my personal ones and do not represent my company's view in any way.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!