Follow the steps below to add a DualShield SAML IDP configuration to Palo Alto
Create Identity Provider Server Profile.
Under Device tab go to Server Profiles > SAML Identity Provider and click on Import at the bottom
In the SAML Identity Provider Server Profile, enter the following information: | Option | Value |
|---|
| Profile Name | Enter a descriptive name | | IDP Metadata | Click Browse and upload the IDP metadata file you obtained from the DualShield Administration Console | | Validatation check boxes | Uncheck Validate IDP Certificate and Metadata Signature boxes | | Maximum Clock Skew | 60 |
Click on OK. |
|
If import was successful the correct settings should display under the Identity Provider Service Profile: |
|
Add Authetication Profile.
Remaining under the Device tab, navigate to Authentication Profile |
|
Click ADD at the bottom of the page
In the Authentication Profile, enter the following information: | Option | Value |
|---|
| Profile Name | Enter a descriptive name | | Type | SAML | | IdP Server Profile | Select the IDP Server Profile created in previous section from the dropdown menu. | | Certificate for Signing Requests | Import Root CA certificate | | Enable Single Logout (optional) | Check this option in order to enable SLO | | Certificate Profile | None | | Username Attribute | username |
|
|
Select the Advanced tab in the Authentication Profile, and add the users/groups that are allowed to authenticate: Click OK to save the authentication profile. |
|
Click on Commit to commit these changes.
