Palo Alto SAML SSO with authentik

Palo Alto network appliances natively support SAML and can leverage providing identity to a SAML Identity Provider. This can be very useful in multiple ways - granting access to admin GUI interface, authenticating users for GlobalProtect (remote access VPN) and Captive Portal user authentication are just some that come to mind.

SAML stands for Security Assertion Markup Language, a standard that allows external applications to authenticate users and grant access to them. Another benefit of using SAML is that it also enables SSO (Single Sign-On), which allows users to get authenticated once and then, based on their privileges, get granted access to different resources without the need to get authenticated again.

In this article, I will show you how to configure Palo Alto Firewall to provide admin GUI access to users with the help of authentik. You can read more about how to do initial setup of authentik here:

How to configure Authentik IdP with docker compose
In this post we will do an initial setup of Authentik IdP (Identity Provider), an excellent piece of software that provides user identification.

With that out of the way, let's start with authentik first. We need to configure two elements here - an Application and a Provider. This is the naming convention that authentik uses, and since we are going to use authentik in following posts, please keep in mind that these terms are related to authentik - other IdP's may use different naming conventions!

There is a couple of pre-requisites that we have to take care of first in authentik. If you followed my previous post about setting up your own authentik, you will already have one with at least one user. We will expand that by adding one more element - a group. This will be required later on to successfully pass SAML attributes to the firewall.

So let's create the group first. Navigate to Directory -> Groups -> Create. You should be presented with a screen like this:

Create new Group

I will call this new group devadmin as it will only be associated with users that are device administrators. When done, click on Create and then click on the newly created group and select the Users tab. Click on Add existing user and add your previously created user.

One thing to note when working with selectable options in authentik is that you can use Ctrl key to select multiple options. Only ones that are marked are actually associated with the object!

We now need to create a property mapping for SAML to identify if user belongs to a certain adminrole. To do that, click on Customization -> Property Mappings -> Create. In the first screen choose SAML Property Mapping:

Creating a new SAML Property Mapping

Click Next and in the next screen fill out the details like this:

SAML Property Mapping
Two things are important here - one of them is the SAML Attribute Name that should correspond to whatever Palo Alto appliance expects - in this case, that would be an adminrole attribute, while the second one is an expression written in Python that checks whether user belongs to a group devadmin and associates the user with appropriate adminrole if they belong to it.

The code that I used here is:

group = request.user.groups.filter(name="devadmin").first()
if group:
    request.user.attributes["adminrole"] = "devadmin"
return "devadmin" if group else ""

What this code does is that it checks whether user belongs to group devadmin - if they do, it dynamically sets the user's adminrole attribute to devadmin and it also returns the value of devadmin. We need to return this value as well, as it is expected as part of SAML Assertion when logging into the PA appliance. This is pretty nifty code that allows us to dynamically set the attribute of a given user, based on the group they belong to. You can additionally modify the code to check for other groups, in case you want to, for example, allow read-only access to certain groups.

Finally, click on Finish and we now have a necessary attribute check configured. To test if everything went well, click on the right-most icon under Actions section (if you hover over it, a pop-up will show with the word Test):

Test Property Mapping

We are now almost done with configuring authentik - the only thing left is to create our Application and a Provider!

Navigate to Applications -> Applications -> Create and fill out the form like this:

Create new Application

Assign a name to the application that will help you identify it. Slug is mostly important for code aesthetics, as it will be shown in the URL, while the group will help you with grouping of applications in the User interface screen. Provider will be empty for now, as we still need to create one, while the UI settings are there pure aesthetics - if you want to associate an icon with the application, download an icon representing the application - in my case I just downloaded a Palo Alto Networks icon; publisher is there so that you know what vendor you're working with, and the description just highlights the usage of the application. Leave the Launch URL field empty. It should look something like this when you're done:

Create new Application

Finally, click on Create and move to the Applications -> Providers -> Create and select SAML Provider on the first screen and click Next:

Creating a new Provider

Fill out the form on the next screen, something like this:

Create a new Provider

Notice a few things here - I tend to give the same names to the Providers as I do to the Applications, but that's just my preference. This way it's easy for me to find them when I need to make any changes and when I need to associate them. Authentication flow is set to default (as we haven't created custom ones, it's not part of this article). Authorization flow is also set to default, with implicit consent, as this way we won't need to press Continue when the user passes authentication.

ACS URL is quite important, and it is actually specific to a vendor that you are connecting to. Palo Alto Networks uses form https://FQDN:443/SAML20/SP/ACS for it, while other vendors may use something else. Also, please note that, depending on how you are accessing your firewall (whether through an IP address or through an FQDN), this will look different for you. In my case, since I created a DNS entry in my DNS server, I can use an FQDN to create an ACS URL entry.

For Issuer field it will be the same - if you're accessing your authentik instance via an IP address, you will want to change it here - if not, use an FQDN as well.

Service Provider Binding for Palo Alto firewalls should be set to Post. You can read more about this here:

Introduction to SAML
SAML and Palo Alto Networks implementation

Finally, click on Create and you should have your first provider ready. You will also notice that there's a yellow exclamation mark that says Warning: Provider not assigned to any application - we will change that right away. Go back to Applications -> Applications and click on Edit icon under the Actions column. In the field Provider select your newly created Provider and click Update.

Now go back to Applications -> Providers and edit the provider we created.

We want to add one more parameter to the main screen of the application, and that is Audience. This should be simple enough, as it is almost the same URL as it is for ACS URL value, just without the trailing ACS:

Updating a new Provider

Next, Expand the Advanced protocol settings and then make modifications like this:

Updating a new Provider

Important parts here are Signing Certificate - if you're not using your own certificate, the one provided with authentik should be sufficient. As for Property mappings, select only previously created mapping, in my case PA SAML AdminRole. NameID Property Mapping should be set to the default value of authentik default SAML Mapping: Username. Finally, click on Update.

Now, click on your Provider name and you should be presented with a screen like this:

Provider Information

You will notice that there is a number of URLs at the bottom of the screen - we will need only two of those - SSO URL (Post) and SLO URL (Post).

There are two things that we will need from authentik to start working on the PA appliance configuration (firewall or Panorama) - authentik certificate or if you want to import the metadata instead of manually creating the the SAML Identity Provider that will include the certificate. So, click on Download button under Metadata section and download it to your computer.

Now, go to your PA Appliance and under Device -> Server Profiles -> SAML Identity Provider click on Import. A form will open like and you should fill it out like this:

Importing SAML IdP information from metadata file

Make sure to un-check Validate Identity Provider Certificate and click on OK.

You will now have a new SAML Identity Provider Server Profile, but we need to make some changes to it before continuing:

Updating SAML Identity Provider Server Profile

Notice the following necessary changes:

  • Identity Provider SSO URL should be your Post URL from authentik
  • Identity Provider SLO URL should also be your Post URL from authentik
  • SAML HTTP Binding for SSO Request to IDP should be set to Post
  • SAML HTTP Binding for SLO Request to IDP should also be set to Post

Click on OK and you are done with the SAML Identity Provider Server Profile. Metadata file downloaded from authentik for some reason forces Palo Alto appliance to automatically select Redirect as an option, so for that reason I prefer to create the profile manually, without importing it from metadata file. Result is the same, but the only thing you have to remember is to upload the certificate as well if you're not importing a metadata file. If you did, the certificate will also be uploaded automatically, but you lose the option to name it whatever you want:

Certificates installed on the firewall
One thing to remember, if you are using an authentik-signed certificate - it has a one year validity and you need to make sure to change the signing certificate before it expires - this needs to be done in both authentik and in all of your Service Providers.

Personally, I run my own CA in my environment and I just created a 5 year server certificate for authentik and other devices and servers.

Do NOT forget to update your certificates before they expire or you will have issues with your SSO!

Next thing to do is to create an Authentication Profile - it is located under Device tab as well. Create a new profile and fill it out like this:

Creating a new Authentication Profile

Choose the name of your liking, select SAML as the Type, select your previously created IdP Server Profile and fill out the rest of the options.

Next, select the Advanced tab and under Allow List add new item with all as option:

Authentication Profile Allow List

Click on OK and that will finish the creation of the Authentication Profile.

Next, select Admin Roles and click on Add to create a new admin role. We will create an admin role called devadmin (same as name of the dynamically assigned attribute in authentik) and grant all privileges to it. By default all privileges are granted to the role (green check mark sign next to the function), except for the XML API:

New Admin Role

One more thing to do is to change the Authentication Settings under Setup - the only thing needed here is to select the SAML Authentication Profile we created:

Authentication Settings

Click on OK and Commit the change to your appliance. Log out of the system and you should be presented with a slightly modified version of the login screen:

Palo Alto Log In Screen

You will now notice a brand new option on the screen - Use Single Sign-On. Click on it and you should be presented with a screen like this:

Single Sign-On (SSO)

This may be a bit misleading, as it presents you with an option to enter your username, but there is no actual need to do that - just click on Continue and you should be good to go. First you will be redirected to your IdP's address, and if you're already logged in, it will automatically redirect you back to PA Admin GUI interface. Under Monitor -> Logs -> System you can find important information regarding your login attempt:

Authentication logs on the system

As you can see here, the process is pretty straightforward: client (you) is first redirected to the IdP for SSO because of the settings set in the Authentication Profile. Once authenticated, authentik will send SAML Assertion for you as a client. Next, SAML Assertion is validated against the IdP certificate that we uploaded and, finally, user is granted access with admin role set to devadmin.

And this is it - your authentik users can now log into the firewall with their authentik credentials. The only thing that I wasn't able to figure out is on how to log back into the firewall once you log out:

Log out screen

The third option here, Log back into PA FW AdminGUI will not work for some reason:

Error when trying to log back in

It's not that big of an issue for me, as I can always just go back to the main PA login screen, but would be nice if this worked as well. If any of the readers here know how to correct this, please let me know.

UPDATE: It seems that this is something that PA Appliances just don't support. By investigating link for the 3rd option, you can clearly see that the URL it leads to ends with /sso/binding/init, which is used for something called IdP Initiated Login, which PA just doesn't support. So that clears it up!

The only issue that I encountered with SAML users is that, since they are assigned a role, they are not treated as superusers. Certain options and settings in the firewall may be unavailable unless you use a superuser account. It's an easy fix for this - go under Device -> Administrators and add an administrator account that has the same username as your user in authentik (you have to do it with a built-in admin account or with another account that is already a superuser):

Two things to notice here: Authentication Profile should be set to whatever the name is for your SAML Authentication Profile and Administrator Type should be set to Dynamic with option Superuser selected. Press OK and commit the change. Now, when you login with your SAML account that is pre-configured to be superuser, you will no longer have limitations on what you can administer.

I may have missed something in the configuration that would resolve this, but this workaround works for me.

One more thing to notice is that, because we are using group/adminrole associations in authentik, we effectively control who has access to the firewall as well. If you create a test user and don't assign it to the devadmin group in authentik, if they try to log into the firewall, they will be presented with the following screen:

Non-authorised user

This is because, if my understanding is correct, PA appliance expects to receive an adminrole attribute from authentik, and because the user is not associated with the appropriate group, it does not send that attribute to the PA appliance. Additionally, I would suggest that, in cases of infrastructure Service Providers, you limit visibility/authorisation to those Applications in authentik itself. This can be done by going to Applications -> Applications and then selecting the appropriate application, then selecting second tab (Policy / Group / User Binding) and clicking on Bind existing policy. Here, we need to select Group and then under Group field select the appropriate group - in my case that would be devadmin. Other options can be left at default values:

Create binding for an Application

Click on Create and now this application will only be available to devadmin group users.

Now if you try to log into the firewall that you are not authorised to in authentik, you will immediately receive the following error once you are authenticated:

User is not authorised to access an application

Even better, users that don't belong to the devadmin group won't even see this application under User interface:

User interface for users that don't belong to devadmin group

As you can see, this looks different from the view of a user that is associated with devadmin group:

User interface for users that belong to devadmin group

Now, with this setup working, it's easy to follow other tutorials on how to implement MFA on your authentik accounts and make this even more secure! In the following posts we will use authentik to grant access to Palo Alto GlobalProtect Remote Access VPN.