Hello LiveCommunity Team!
I created this post to share my experience regarding an issue involving a SAML-Based Administrator in Panorama (11.1.10-h10).
- An administrator successfully logs in to the Panorama's GUI, assuming the custom Admin Role "fullaccessdomain"—with full permissions—based on the SAML assertion message, via the attribute and statement defined in Azure, as detailed below:
PANORAMA ADMIN USER LOGIN & ADMIN ROLE ASSIGMENT
However, the administrator user cannot view other administrators, generate Technical Support Files (TSFs), or shutdown/restart the Panorama device, as indicated below:
PANORAMA ADMIN USER CANNOT SEE OTHER ADMINISTRATORS
PANORAMA ADMIN USER CANNOT GENERATE TECH SUPPORT FILES (TSFs)
PANORAMA ADMIN USER CANNOT SHUTDOWN & REBOOT THE PANORAMA
Following it's the Panorama Admin User Configuration:
PANORAMA ADMIN USER CONFIGURATION WITH CUSTOM PANORAMA ADMIN
PANORAMA ADMIN USER WITH DYNAMIC SUPERUSER
- Even though we have assigned the Dynamic Role of Superuser to the Admin User, the User will not be able to see all the options described above.
PANORAMA AUTHENTICATION PROFILE WITH SAML AUTHENTICATION
We verified the custom Admin Role, and it possesses full permissions for the WebUI as well as the Azure environment where Panorama received the SAML Assertion message indicating that the Admin Role had been successfully assigned as "fullaccessdomain".
PANORAMA CUSTOM ADMIN ROLE FULLACCESSDOMAIN
We attempted to remove the `adminrole` value from the Admin Role Attribute in the SAML-based Authentication Profile to prefer the Dynamic Superuser Role as the previous image; however, then the Administrator user is unable to log in to Panorama, and the following message is displayed under Monitor > System:
PANORAMA SYSTEM ERROR AUTH PROFILE WITHOUT Admin Role Attribute
Conclusions:
- SAML-based Administrators needs receive the Admin Role Attribute referenced in the SAML Authentication Profile, as well as in the defined Admin Attribute in the Attributes & Claims section of the Azure environment.
- SAML-based administrators utilizing an Admin Role are expected to be unable to view other administrators, generate technical support files, or shutdown/restart the Panorama device even if they hold a full-permissions Admin Role due it's a Custom Panorama Admin.
- According to the next Panorama Admin Guide it's an expected behavior:
Administrative Roles
" Custom Panorama admin roles have the following limitations:
- To enable these hidden options, we created a Local Administrator User with the Dynamic Superuser Role, and the problem was resolved.
Thank you for your time, and I hope this information is helpful in your daily cybersecurity work. I would greatly appreciate your support by liking or accepting this as a useful post; it would help me a lot in becoming a CyberElite!
Best Regards,
Daniel Romero
Senior Network/Security Engineer
PANW Partner
Panorama NGFW
