Palo Alto Next-Gen Firewalls V11.x - SSO Configuration
This application has not been formally tested by Kelvin Zero Inc. It is provided solely as a reference guide. If you encounter any issues, kindly submit a ticket directly through the support desk.
This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for Palo Alto Next-Gen Firewalls V11.x using Multi-Pass. SSO simplifies user authentication by allowing access to multiple applications with a single set of credentials. This integration enhances security and improves user experience across your organization.
To configure Multi-Pass SSO with Palo Alto Firewalls, ensure you meet the following requirements:
- Palo Alto Firewall Administrator access
- MPAS Admin rights
- All users intended to use SSO in Palo Alto must be registered in your IdP and have the necessary permissions.
Important: Custom elements in URLs (like IP addresses or tenant names) are case sensitive. Match the exact casing from your environment.
- Palo Alto Firewall Administrator access
- MPAS Admin rights
- All users intended to use SSO in Palo Alto must be registered in your IdP and have the necessary permissions.
Important: Custom elements in URLs (like IP addresses or tenant names) are case sensitive. Match the exact casing from your environment.
Palo Alto Next-Gen Firewalls V11.x - SSO Configuration
Step 1 - Obtain Tenant XML Metadata from Multi-Pass (IdP)
- Open Multi-Pass Dashboard
- Select the correct tenant and go to Integrations, then click on Applications.
- Select SAML under the custom integration section.
- Select Download under Tenant XML Data and save the file locally.
Step 2 - Configure Palo Alto as the Service Provider (SP)
- Log into the Palo Alto Firewall as an Administrator.
- Navigate to Device > Server Profiles > SAML Identity Provider > Import.
- If unavailable, browse to Panorama > Server Profiles > SAML Identity Provider.
- Set the Profile Name to KZero Passwordless.
- Select Browse and upload the Tenant Metadata file from Step 1.
- Ensure all fields populate correctly, unselect Validate Identity Provider Certificate, then click OK.
- Go to Device > Authentication Profile and select Add.
- Set the Name to KZero Passwordless and Authentication Type to SAML.
- Select the SAML IDP Server Profile named KZero Passwordless.
- Set the Username Attribute to
username. - Under the Advanced tab, select Allow List and include all users or specific groups as required.
- Click OK to save the profile.
Step 3 - Complete the Configuration of Multi-Pass (IdP)
- Open Multi-Pass Dashboard
- Select the correct tenant and go to Integrations, then click on Applications.
- Select SAML in the custom integration section.
- Confirm or complete the remaining fields based on the table below:
| Field | Value |
|---|---|
| Client ID (=SP Entity ID) | https://IP-address:443/SAML20/SP |
| Name | paloaltofirewall |
| Description | Palo Alto Firewall SSO Integration |
| Assertion Consumer Service URL | https://IP-address:443/SAML20/SP/ACS |
| NameID Policy Format | Username |
- Go to the Advanced Console by clicking on the left side of your screen
- Click on Client and use the search bar to look for Palo Alto
- Ensure all the fields are populated based on the tables below
General settings (Multi-Pass)
| Field | Value |
|---|---|
| Client ID | https://IP-address:443/SAML20/SP/ACS |
| Name | paloaltofirewall |
| Description | https://IP-address:443/SAML20/SP/ACS |
| Always display in UI | OFF |
Access settings (Multi-Pass)
| Field | Value |
|---|---|
| Home URL (IdP-initiated) | https://ca.auth.kzero.com/realms/<TENANT_NAME>/protocol/saml/clients/<APP_NAME> |
| Valid Redirect URIs (ACS) | https://IP-address:443/SAML20/SP/ACS |
| IDP-Initiated SSO URL Name | <APP_NAME> |
SAML Capabilities
| Setting | Value |
|---|---|
| Name ID Format | username |
| Force Name ID Format | OFF |
| Force POST Binding | ON |
| Include AuthnStatement | ON |
Signature & Encryption
| Setting | Value |
|---|---|
| Sign Documents | ON |
| Sign Assertions | ON |
- Move to the tab labeled Keys and ensure that both parameters are set to OFF
- Go to the Advanced Tab
- Confirm the Assertion Consumer Service POST Binding
URL is https://IP-address:443/SAML20/SP/ACS(Should be the same value as Valid redirect URI under Access Settings)
Related Articles
SAML SSO Integration Guide
This guide provides an overview of how to configure SAML Single Sign-On (SSO) between Multi-Pass and a third-party Service Provider (SP). Multi-Pass acts as the Identity Provider (IdP) in this federation model. Multi-Pass is working on SCIM support ...D2L Brightspace - SSO Integration
This application has not been formally tested by Kelvin Zero Inc. It is provided solely as a reference guide. If you encounter any issues, kindly submit a ticket directly through the support desk. This documentation provides a step-by-step guide to ...Mulesoft - SSO Integration
This application has been formally tested by Kelvin Zero Inc. This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for Mulesoft using Multi-Pass. SSO simplifies user authentication by allowing access to multiple ...Slack - SSO configuration
Please note that this application has not been formally tested by Kelvin Zero Inc. It is provided solely as a reference guide. If you encounter any issues, kindly submit a ticket directly through the support desk. This documentation provides a ...BambooHR - SSO Configuration
This documentation has been tested and approved by Kelvin Zero's team This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for Bamboo HR using MPAS. SSO simplifies user authentication by allowing access to multiple ...