Palo Alto 10 SAML Integration¶
This article covers the integration between Swivel Secure AuthControl Sentry and Palo Alto Networks (PAN) Next-Generation Firewall. The integration is based upon SAML 2.0, with AuthControl Sentry acting as the Identity Provider and Palo Alto Next-Generation Firewall the Service Provider.
- Swivel Secure appliance version 4.1 with basic deployment completed
- Palo Alto Networks Next-Generation Firewall (PAN OS v10) with basic deployment completed
- Valid Swivel Secure software license or subscription
- Valid Palo Alto Networks GlobalProtect Portal software license
- Valid SSL certificates to protect the AuthControl Sentry and Palo Alto Networks Next-Generation Firewall
Deployment Tasks - AuthControl Sentry¶
Define new Application in AuthControl Sentry¶
In the AuthControl Sentry SSO GUI, define the Palo Alto Application:
As a guide, the following values can be set:
Portal URL: https://<paloalto_hostname>
Endpoint URL: https://<paloalto_hostname>/SAML20/SP/ACS
Entity ID: https://<paloalto_hostname>:443/SAML20/SP
Federated ID: username
Once saved, the Palo Alto icon will appear in the IdP Login Start Page for IdP initiated logins:
Download IdP Metadata from AuthControl Sentry¶
Swivel Secure AuthControl Sentry works as an Identity Provider. To enable service providers, such as Palo Alto NGFW to utilise the IdP, metadata is provided in XML format. You can import this metadata into the Firewall to register and create an IdP server profile for Swivel Secure within the Firewall. The server profile defines how to connect to the IdP and specifies the certificate that the IdP uses to sign SAML assertions.
In the Sentry SSO Web GUI (running on port 8443), right click on the ‘View IdP Metadata’ left hand menu option and ‘Save As’ an XML file e.g. GeneratedMetadata.xml. We will upload this to the Firewall in a moment.
Obtain the IdP Certificate¶
In addition to the IdP metadata, the Palo Alto Networks Firewall requires an IdP certificate, to be able to create a SAML IdP Server Profile. Obtain the IdP certificate from the Sentry SSO Web GUI (running on port 8443) -> Keys menu.
Download the Public Key, and Cert key from the GUI. To obtain the private key, access the AuthControl Sentry appliance directory: /home/swivel/.swivel/sentry/keys (use WinSCP or similar to access it).
Deployment Tasks - Palo Alto Networks NGFW¶
Create a User Group in the Palo Alto
In the Palo Alto, create a group of users that will be using the Portal:
Create a SAML IdP Server Profile¶
Using the metadata XML file previously exported from the AuthControl Sentry SSO GUI, create a new Server Profile in the Palo Alto. Import the XML file by selecting Device -> Server Profiles -> SAML Identity Provider. Click the Import button at the bottom of the screen.
Profile Name: e.g. SwivelSecureIDP
Identity Provider Metadata: … Browse for the metadata XML file We recommend that the checkbox ‘Validate Identity Provider Certificate’ is checked.
Be aware of the maximum clock skew. This is the difference allowed (in seconds) between the IdP and Firewall system time during SAML validation. If the time difference is exceeded, then authentication will fail.
Click OK to save the profile. Note: the certificate validation process only occurs when the server profile is assigned to an authentication profile.
View the server profile by clicking the name in the list of SAML Identity Providers:
Verify that the information is correct and if necessary, make any modifications. The FQDN of these URLs should be valid. If not, login to the Swivel Secure CMI -> Main Menu -> Appliance -> Sentry and set the Base URL to be correct. Then export the IdP metadata again and repeat these steps to attempt to create a new server profile.
Import and assign the IdP certificate¶
Import the PEM certificate previously downloaded, under Certificate Management -> Certificates of the Palo Alto:
Assign the certificate to the SAML Identity Provider Server Profile you created earlier:
Configure an Authentication Profile¶
On the Palo Alto, goto Device -> Authentication Profile.
In this example we configure an Authentication Profile with the following settings:
IdP Server Profile: SwivelSecureIDP (as previously configured)
Certificate for Signing Requests: You can import a certificate generated by your enterprise CA or generate a certificate using the root CA generated on the Firewall or Panorama.
Enable Single Logout Enabled
Certificate Profile: SwivelSecureCertProfile this is the IDP certificate taken from AuthControl Sentry
Under the Advanced tab, assign the users that can use Swivel Secure:
Click OK to save the Authentication Profile.
Setup GlobalProtect Portal¶
If this does not already exist, goto Network -> GlobalProtect -> Portals and click the Add button.
Associate the portal with the DMZ interface:
Assign the Authentication Profile¶
Inside the GlobalProtect Portal configuration, select the Authentication tab. Setup Client Authentication against the Authentication Profile, e.g. associate the SwivelSecureAuthProfSAML profile created earlier:
Enable Clientless VPN¶
This requires the correct Palo Alto Networks license to work. Enable the Clientless VPN option under the Clientless VPN -> General tab. Ensure that the hostname has the correct FQDN:
Save configurations and commit¶
After all the changes are made in the Palo Alto, you need to save the configuration and push the commit button to apply changes:
Test the Integration¶
IdP initiated login via AuthControl Sentry SSO¶
Visit the Sentry Start Page https://<AuthControlSentryHostname>/sentry and click the Palo Alto icon:
Enter your username when prompted and attempt to login with your user account:
You should be redirected to the Palo Alto GlobalProtect Portal home page (as defined in the Palo Alto Response Pages screen):