8 min read

Configure Palo Alto Cloud Identity Engine to use Authentik as IdP

Cloud Identity Engine (CIE) is a cloud-based service designed to simplify identity and access management across different environments, including on-premises, cloud, and hybrid setups.

Let's start with the basics, what is actually PA Cloud Identity Engine?

Cloud Identity Engine (CIE) is a cloud-based service designed to simplify identity and access management across different environments, including on-premises, cloud, and hybrid setups. CIE integrates with various identity providers to centralise user authentication and authorisation, ensuring consistent access control no matter where applications or users are located. By using CIE, organisations can manage user identities more easily, apply uniform security policies, and provide a seamless single sign-on (SSO) experience.

I like to think of it as a proxy that sits between my IdP and my Service Providers - basically, instead of configuring multiple Providers in Authentik, you only need to create one - the one that connects to CIE, and from there, you can then configure CIE to leverage its own engine to add additional checks on getting the users authenticated.

In this post, we are going to configure Palo Alto Firewall to utilise CIE for Admin Portal (GUI) authentication. If you previously configured SAML Server Profiles, you will remember that there is a number of information that needs to be provided to create a profile:

Creating a new Server SAML Profile

Now, imagine that you're managing tens, if not hundreds of firewalls that need to be configured with same configuration. If you're using Panorama, then it's not that big of a deal, but you still need to modify it so that information in this form matches a single provider on the IdP side. It also means that you need to create multiple providers there, each one matching a single Service Provider (PA Firewall).

This is where CIE kicks in. Instead of creating Providers in Authentik for each and every firewall, we only need to create one - the one for CIE.

To start, we will go to our CIE dashboard. If you haven't already, go to https://apps.paloaltonetworks.com and activate your CIE instance. Activation should take you to another page that should look something like this:

Activating CIE

Once you activate it, your app will be available at the top of the screen, like this:

Cloud Identity Engine App Activated

Select your new app and in it will take you to your new CIE dashboard. If it's the first time you're logging in, it will greet you with a form like this:

CIE greeting form

We will use CIE for authentication in this tutorial, so we will choose option 'Set Up Authentication' by clicking on 'Set Up' button. This will immediately take us to creating an Authentication profile, but we first need to create an Authentication type. Click on the link on the left side in the menu:

Authentication Types Menu

On the right side, you should now have an empty list of SAML and Client Certificate Types:

Empty list of Authentication Types

Click on 'Add New Authentication Type' button on the top right side, choose SAML 2.0 option and you will now be able to configure information about your new SAML AuthType.

Notice that part one is already pre-configured - it's the CIE part. You will need this information when configuring a Provider in Authentik.

Part two is the one that we need to configure with relevant information:

Configuring Identity Provider Profile

For name, choose whatever you want, but make sure that you know what it relates to in case you're going to configure multiple AuthTypes in the future. I just called mine Company Name Authentik.

For Identity Provider Vendor choose 'Other'. Next, you can choose how to provide information to CIE about your IdP. I tried first by uploading the metadata file provided by Authentik, but was greeted with a following error message on the top right side:

Metadata Error Message

Then I tried by selecting the option 'Get URL' and provided the URL that Authentik gave me, but was greeted with another error message - I suspect it's because of the way my reverse proxy is configured in front of my Authentik, but not sure and don't actually care:

Get URL Error Message

Mind you, I already had my Provider set up in Authentik, so I tried these two options, but for you, the logical option is to switch to setting up Authentik, so either select 'Enter Manually' or 'Do It Later' options.

In any case, we will need to set up our Provider in Authentik to finish the configuration of CIE. Let's do this by creating a new Provider in Authentik:

Create new Provider in Authentik

In one of the previous posts we already configured our Authentik instance, so we will use that as our basis. Name your new Provider and select your own Authentication and Authorization flows. For ACS URL, type in what CIE has provided in Step One, same for Issuer. Choose 'Post' as Service Provider Binding, leave Audience field empty.

Under Advanced protocol settings, choose your Signing Certificate - hopefully you already have it downloaded on your computer - you will need to provide the certificate to CIE!

Verification field can be unselected, and for Property mappings, select all the default ones, and on top of that one, select 'PA SAML AdminRole' that we created in one of the previous posts.

Under NameID Property Mapping choose 'authentik default SAML Mapping: Username' and leave the rest of the fields at their default values:

SAML Provider Advanced Protocol Settings

Next, we need to create a new Application and it should look something like this:

UI settings are purely cosmetic, so set them up however you wish.

Now, let's switch back to our CIE set up. We left it at 'Identity Provider' part of the configuration. Select previous option first to enter information manually, and then under 'Identity Provider ID' enter information from Step One, where it says 'Entity ID'.

This actually gave me a little bit of headache. Usually when configuring Server SAML Profile on PA appliances, you will use Authentik's URL as your 'Identity Provider ID' URL, but when using CIE, it actually needs to match the CIE provided URL, as CIE is actually the IdP from its own perspective. If you use your own Authentik's URL, you will be presented with the following error when testing:

Error when SAML assertion and Entity ID don't match

This wasn't something I was expecting to happen, but it made sense. Whatever is configured on one side, must match the other side.

So I actually tested it the other way, the way I was always using it before. So I changed the 'Identity Provider ID' field in CIE to match the URL of my Authentik instance, as always. On the Authentik side, under Provider settings, I changed the Issuer to be, once again, Authentik, by entering its own URL. After that I tested it again, and voilà! It was working again! I suspect that this is related to the Directory sync option in CIE, but since we are not using it at the moment (we are using Authentik as our Directory source), we can stick with using Authentik as our Identity Provider.

Next, you will need to click on the 'Submit' button before you are able to test it.

Once you click on 'Test SAML Setup', you should see a screen like this pop up:

Successful SAML Setup

You will also notice that there are a few fields that need your attention:

I suggest setting them like this:

Attribute Matching

You will also notice that for Admin Role (Optional) field I used 'Group' matching instead of using custom attribute called adminrole. That is because adminrole is a dynamic field that is pulled when querying user, and doesn't work here. Instead, I am now using groups to match adminrole, which works just fine:

Successful login

Finally, we can now configure new Authentication Profile in CIE:

Once you click on 'Add Authentication Profile' in the top right side of the screen, you will need to enter the name of the profile and select Authentication Mode. Since we are only doing Authentication for now, without Directory Sync, you need to choose 'Single' as an option here. Finally, under 'Select Authentication Type', choose previously created AuthType. Finish the configuration by clicking on 'Submit' button in the bottom right side of the screen.

And that is it. You've now configured CIE for SAML authentication and can use it as a profile on your firewall.

To do that, go to Device -> Authentication Profile and click on 'Add'.

Since we are sending group attributes, this is now a good place to actually enforce policy that only users in certain groups can actually log onto the device. This will be particularly handy in the future when we will be configuring VPN access so that we can limit access only to users that are part of the VPN group. Of course, we could always set limits to groups in Authentik itself on who can use particular Application, but it never hurts to have it set on both sides.

In any case, your new profile should look something like this:

Creating new Authentication Profile

Click on Advanced tab and under Allow List add 'all' or if you have a connection to your AD/LDAP server, choose appropriate group. Next, click on OK when you are done with the profile creation.

To force the firewall to use this newly created profile for authentication purposes on the GUI, you need to select Device -> Setup and under Authentication Profile select your newly created CIE profile:

Authentication Settings for firewall GUI access

Commit the changes and you should now be able to authenticate to your firewall against your IdP! If everything went well, you should see something like this in your System logs:

Successful login logs

And that's it. You will now be able to utilise your CIE on all of your firewall without creating additional Providers in your Authentik instance! The only thing that you will need to create are additional Authentication Profiles in CIE and match those on your firewalls! That's it!

Final note - please do make sure that you have either limits on Applications in regards to groups that are allowed to use them, or have your firewall match groups under Authentication Profile settings (if connected to LDAP), otherwise you will be allowing all of your users access to the firewall GUI!