How to integrate Duo Single Sign-On for PAN-OS Administrators? – Series 2

Spread the love

In the previous series, we focused on setting up Duo SSO. This time, we’re diving into Palo Alto Networks’ Admin UI configuration with Duo SSO. This guide will help PAN-OS administrators implement secure access controls using Duo’s robust authentication features.

Configuring Palo Alto Networks – Admin UI with Duo SSO

  1. Log on to the Palo Alto Admin Panel:
    • As an Administrator, click the Device tab.
    • Select Server Profiles > SAML Identity Provider.
    • Click Add.
  1. Enter Profile Details:
    • Enter a Profile Name of your choice.
    • Copy the details from the Palo Alto Generic SAML Service Provider – Single Sign-On created in the Duo Admin Panel to the Server Profile.
    • Import the Identity Provider Certificate downloaded from the Duo Admin Panel (downloaded in step 7 of the previous article)

Table 4 : SAML Identity Provider Server Profile

Entity IDIdentity Provider ID
Single Sign-on URLIdentity Provider SSO URL
Single Sign-Out URLIdentity Provider SLO URL
  1. Add an Authentication Profile:
    • Navigate to Device > Authentication Profile.
    • Click Add.
    • Enter the following information in the Authentication tab and click OK:

Table 5 : Authentication Profile – Authentication tab

NameDuo MFA
TypeSAML
IdP Server ProfileYI-SAML-iDP

Table 6 : Authentication Profile – Advanced tab

ALLOW LISTall
  1. Add an Admin Role:
    • Navigate to Device > Admin Role.
    • Click Add.
    • Provide the Admin Role name and click OK.
  1. Enable Administrators to Use SAML SSO:
    • Navigate to Device > Setup.
    • In the Setup pane, select the Management tab.
    • Under Authentication Settings, click the gear icon.

Please ensure to click commit after every step to save the configuration changes.

Following the outlined steps, we successfully integrated Palo Alto Network security appliances, including Firewalls and Panorama, with Duo MFA via Duo SSO. We’ve also enabled advanced Duo security features such as risk-based authentication, trusted endpoints, and passwordless authentication. Now, let’s validate the configuration by logging into the Palo Alto Admin UI.

  1. Log in to Palo Alto Network Firewall Admin Panel:
    • Click Use Single Sign-On.
    • Enter your login credentials.
    • Click Continue to complete the Duo SSO login process.
    • A Touch ID prompt will appear as the passwordless feature is enabled in the Application Policy within the Duo Admin Panel

Upon successful passwordless login, the user will be directed to the Palo Alto Admin UI for Firewall or Panorama administration. Let’s validate the login activity logs in both the Duo Admin Panel and the Palo Alto Admin UI.

After analyzing the logs, we confirmed that access to the Palo Alto Admin UI was successfully granted using passwordless authentication. The Duo policy further enhances security by enforcing access from a Trusted Endpoint.

The Duo Passwordless feature supports the following authentication methods:

Windows Hello on compatible Windows devices

Touch ID on compatible macOS devices

Face ID or Touch ID on compatible iOS and iPadOS devices

Android Biometrics, including Pixel fingerprint or facial recognition, and Samsung fingerprint or facial recognition

WebAuthn FIDO2 security keys with biometric or PIN verification, such as those from Yubico or Feitian

Duo Push authentication requests sent to Duo Mobile on Android or iOS devices secured with biometric, PIN, or passcode unlocking


Spread the love

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top