Follow the steps below to add a DualShield SAML IDP configuration to Palo Alto
Create Identity Provider Server Profile.
Under Device tab go to Server Profiles > SAML Identity Provider and click on Import at the bottom
In the SAML Identity Provider Server Profile, enter the following information:
| Option | Value |
|---|---|
| Profile Name | Enter a descriptive name |
| IDP Metadata | Click Browse and upload the IDP metadata file you obtained from the DualShield Administration Console |
| Validatation check boxes | Uncheck Validate IDP Certificate and Metadata Signature boxes |
| Maximum Clock Skew | 60 |
Click on OK.
If import was successful the correct settings should display under the Identity Provider Service Profile:
Add Authetication Profile.
Remaining under the Device tab, navigate to Authentication Profile
Click ADD at the bottom of the page
In the Authentication Profile, enter the following information:
| Option | Value |
|---|---|
| Profile Name | Enter a descriptive name |
| Type | SAML |
| IdP Server Profile | Select the IDP Server Profile created in previous section from the dropdown menu. |
| Certificate for Signing Requests | Import Root CA certificate |
| Enable Single Logout (optional) | Check this option in order to enable SLO |
| Certificate Profile | None |
| Username Attribute | username |
Select the Advanced tab in the Authentication Profile, and add the users/groups that are allowed to authenticate:
Click OK to save the authentication profile.
Click on Commit to commit these changes.