Palo Alto 10 SAML Integration

Overview

This article covers the integration between Swivel Secure AuthControl Sentry and Palo Alto Networks (PAN) Next-Generation Firewall. The integration is based upon SAML 2.0, with AuthControl Sentry acting as the Identity Provider and Palo Alto Next-Generation Firewall the Service Provider.

Pre-requisites

  • Swivel Secure appliance version 4.1 with basic deployment completed
  • Palo Alto Networks Next-Generation Firewall (PAN OS v10) with basic deployment completed
  • Valid Swivel Secure software license or subscription
  • Valid Palo Alto Networks GlobalProtect Portal software license
  • Valid SSL certificates to protect the AuthControl Sentry and Palo Alto Networks Next-Generation Firewall

Deployment Tasks - AuthControl Sentry

Define new Application in AuthControl Sentry

In the AuthControl Sentry SSO GUI, define the Palo Alto Application:

_images/PANOS10SAMLPicture1.png

As a guide, the following values can be set:

Portal URL: https://<paloalto_hostname>

Endpoint URL: https://<paloalto_hostname>/SAML20/SP/ACS

Entity ID: https://<paloalto_hostname>:443/SAML20/SP

Federated ID: username

Once saved, the Palo Alto icon will appear in the IdP Login Start Page for IdP initiated logins:

_images/PANOS10SAMLPicture2.png

Download IdP Metadata from AuthControl Sentry

Swivel Secure AuthControl Sentry works as an Identity Provider. To enable service providers, such as Palo Alto NGFW to utilise the IdP, metadata is provided in XML format. You can import this metadata into the Firewall to register and create an IdP server profile for Swivel Secure within the Firewall. The server profile defines how to connect to the IdP and specifies the certificate that the IdP uses to sign SAML assertions.

In the Sentry SSO Web GUI (running on port 8443), right click on the ‘View IdP Metadata’ left hand menu option and ‘Save As’ an XML file e.g. GeneratedMetadata.xml. We will upload this to the Firewall in a moment.

_images/PANOS10SAMLPicture3.png

Obtain the IdP Certificate

In addition to the IdP metadata, the Palo Alto Networks Firewall requires an IdP certificate, to be able to create a SAML IdP Server Profile. Obtain the IdP certificate from the Sentry SSO Web GUI (running on port 8443) -> Keys menu.

_images/PANOS10SAMLPicture5.png

Download the Public Key, and Cert key from the GUI. To obtain the private key, access the AuthControl Sentry appliance directory: /home/swivel/.swivel/sentry/keys (use WinSCP or similar to access it).

Deployment Tasks - Palo Alto Networks NGFW

Create a User Group in the Palo Alto

In the Palo Alto, create a group of users that will be using the Portal:

_images/PANOS10SAMLPicture6.png

Create a SAML IdP Server Profile

Using the metadata XML file previously exported from the AuthControl Sentry SSO GUI, create a new Server Profile in the Palo Alto. Import the XML file by selecting Device -> Server Profiles -> SAML Identity Provider. Click the Import button at the bottom of the screen.

_images/PANOS10SAMLPicture7.png

Profile Name: e.g. SwivelSecureIDP

Identity Provider Metadata: … Browse for the metadata XML file We recommend that the checkbox ‘Validate Identity Provider Certificate’ is checked.

Be aware of the maximum clock skew. This is the difference allowed (in seconds) between the IdP and Firewall system time during SAML validation. If the time difference is exceeded, then authentication will fail.

Click OK to save the profile. Note: the certificate validation process only occurs when the server profile is assigned to an authentication profile.

View the server profile by clicking the name in the list of SAML Identity Providers:

_images/PANOS10SAMLPicture8.png

Verify that the information is correct and if necessary, make any modifications. The FQDN of these URLs should be valid. If not, login to the Swivel Secure CMI -> Main Menu -> Appliance -> Sentry and set the Base URL to be correct. Then export the IdP metadata again and repeat these steps to attempt to create a new server profile.

Import and assign the IdP certificate

Import the PEM certificate previously downloaded, under Certificate Management -> Certificates of the Palo Alto:

_images/PANOS10SAMLPicture9.png

Assign the certificate to the SAML Identity Provider Server Profile you created earlier:

_images/PANOS10SAMLPicture10.png

Configure an Authentication Profile

On the Palo Alto, goto Device -> Authentication Profile.

In this example we configure an Authentication Profile with the following settings:

Name: SwivelSecureAuthProfSAML

Type: SAML

IdP Server Profile: SwivelSecureIDP (as previously configured)

Certificate for Signing Requests: You can import a certificate generated by your enterprise CA or generate a certificate using the root CA generated on the Firewall or Panorama.

Enable Single Logout Enabled

Certificate Profile: SwivelSecureCertProfile this is the IDP certificate taken from AuthControl Sentry

_images/PANOS10SAMLPicture11.png

Under the Advanced tab, assign the users that can use Swivel Secure:

_images/PANOS10SAMLPicture12.png

Click OK to save the Authentication Profile.

_images/PANOS10SAMLPicture13.png

Setup GlobalProtect Portal

If this does not already exist, goto Network -> GlobalProtect -> Portals and click the Add button.

Associate the portal with the DMZ interface:

_images/PANOS10SAMLPicture14.png

Assign the Authentication Profile

Inside the GlobalProtect Portal configuration, select the Authentication tab. Setup Client Authentication against the Authentication Profile, e.g. associate the SwivelSecureAuthProfSAML profile created earlier:

_images/PANOS10SAMLPicture15.png _images/PANOS10SAMLPicture16.png

Enable Clientless VPN

This requires the correct Palo Alto Networks license to work. Enable the Clientless VPN option under the Clientless VPN -> General tab. Ensure that the hostname has the correct FQDN:

_images/PANOS10SAMLPicture17.png

Save configurations and commit

After all the changes are made in the Palo Alto, you need to save the configuration and push the commit button to apply changes:

_images/PANOS10SAMLPicture18.png

Test the Integration

IdP initiated login via AuthControl Sentry SSO

Visit the Sentry Start Page https://<AuthControlSentryHostname>/sentry and click the Palo Alto icon:

_images/PANOS10SAMLPicture19.png

Enter your username when prompted and attempt to login with your user account:

_images/PANOS10SAMLPicture20.png

You should be redirected to the Palo Alto GlobalProtect Portal home page (as defined in the Palo Alto Response Pages screen):

_images/PANOS10SAMLPicture21.png

Troubleshooting

Palo Alto Logs

Review the system logs for SAML assertion errors, such as mismatching username attribute, certificate, or entityID.

_images/PANOS10SAMLPicture22.png