This guide walks PAN-OS administrators through the step-by-step process of configuring Duo SSO with PAN-OS using Duo’s Generic SAML Service Provider, enhancing account security with advanced features like Risk-Based Authentication and Trusted Endpoints. Let’s get started!
This article focuses on integrating Palo Alto network security applications, such as PAN Firewalls and Panorama, with Duo Single Sign-On (SSO) using the Generic SAML Service Provider application from the Duo Admin Panel. The primary goal of this integration is to provide Multi-Factor Authentication (MFA) or passwordless authentication.
Additionally, we will leverage Duo’s advanced features, such as Risk-Based Authentication and Trusted Endpoints, to minimise the risk of account takeovers.
Based on the above network topology, the authentication flow will be as follows:
- User Accesses PAN Admin Panel:
- The user initiates access to the Palo Alto Networks Admin Panel.
- PAN Admin Panel Connects to Duo SSO:
- The PAN Admin Panel redirects the user to the Duo Single Sign-On (SSO) login page.
- User is Prompted for MFA or Duo Passwordless:
- The user is prompted to authenticate using Multi-Factor Authentication (MFA) or Duo Passwordless.
- Successful Challenge:
- If the authentication challenge is successful, Duo grants access.
- Redirection to PAN Admin Panel:
- Duo redirects users back to the PAN Admin Panel, granting them access.
Table 1: Palo Alto Firewall Details
Host Name | panfw.yasirirfan.com |
User Accounts | yasirirfan, yiuser01 |
SAML iDP Name | YI-SAML-iDP |
Admin Roles | fwadmin |
Authentication Profile | Duo MFA |
Creating a Palo Alto Application in Duo
- Log on to the Duo Admin Panel:
- Navigate to Applications.
- Click Protect an application.
- Search for the Generic SAML Service Provider:
- Type in Generic SAML in the search bar.
- Click Protect.
- Configure the Service Provider Details:
- In the newly created Generic SAML Service Provider application, configure the following details:
Table 2: Service Provider details
Metadata Discovery | None |
Entity ID | https://FQDN:443/SAML20/SPhttps://IP-address:443/SAML20/SP |
Assertion Consumer Service (ACS) URL | https://FQDN:443/SAML20/SP/ACShttps://IP-address:443/SAML20/SP/ACS |
- Configure the SAML Response Details:
- Set up the SAML response details in the Generic SAML Service Provider application.
- Configure the Roles Attributes:
- Define the roles attributes in the Generic SAML Service Provider application.
Table 3: Roles Attributes
Attribute name | fwadmin |
Service Providers Role | fwadmin |
Duo groups | Either AD Sync or local group for PAN Admin from your Duo Admin Panel |
- Update the Application Name:
- Scroll to the Settings section.
- Prepend “Palo Alto” to the name Generic SAML Service Provider – Single Sign-On.
- Click Save at the bottom.
- Download and Save the Certificate:
- Download and save the certificate.
- This will be imported as an Identity Provider Certificate in the SAML Identity Provider Server Profile on the Palo Alto Networks Firewall/Panorama.
- Apply an Application Policy:
- Scroll up and click on Application Policy > Apply a policy to all users.
- Click Create a new Policy.
- Policy Name: type APPLY-RBA-PWL-TE-POLICY
- Devices > Trusted Endpoints:
- Select Require endpoints to be trusted (on the right side).
- Authenticators > Risk-based Factor Selection:
- Select Limit available authentication methods based on risk (on the right side).
- Set Verified Duo Push Code Length to 4.
- Authenticators > Authentication Methods:
- Select the following 2FA authentication methods:
- Platform Authenticator (WebAuthn)
- Roaming Authenticator (WebAuthn)
- Duo Push
- Select the following Passwordless authentication methods:
- Platform Authenticators
- Roaming Authenticator
- Duo Push
- Select the following 2FA authentication methods:
- Click on Create Policy, Apply Policy, then scroll down and click Save.
In the next series, we will focus on configuring the Palo Alto Networks Admin UI with Duo SSO. Stay tuned!