Hi. Thank you for the comment. You only need to import the Metadata once, both firewalls synchronize the configuration.

Thank you. In this case you need a second admin role with a read only profile. Take a look at the video starting at minute 11:33.

I'm almost sure the URLs are not in the Metadata, because you can change them and you don't need to upload a new Metadata. So in your case, you should import the same Metadata to both firewalls and configure 2 URLs on your IdP, as you mentioned. But how does your active/passive work? Do you use DNS for that?

@@netsums Thanks for your reply. Yes I do have an internal dns server and the i have pointed my firewall urls to my local firewall ip's. 1 more query: Regarding the roles, Is it possible to configure 2 roles. Because In my setup i require both read only and write permission.

Yes, you can use the menu Admin Roles on Panorama to create the roles you need.

@@netsums Thanks again mate

Sorry for the late reply. You should be able to access your Panorama, even if it's on a private environment. Your IdP doesn't need to access your Panorama, only the client trying to authenticate.

Hi. Thank you for the request, I will keep that in mind.

Hi. Yes, it's okay to use a private address with Azure. Azure doesn't communicate directly with the firewall, your browser gets redirected to Azure and then back to the firewall.

Yes, you should be able to implement it also without having to use Panorama

Azure Active Directory doesn't need access to your Panorama. When you try to login, Panorama makes a redirect to login.microsoftonline.com. After you authenticate yourself, your browser gets redirect back to Panorama (of course, if your configuration has been done correctly). So your client needs to have access to Panorama (or firewall), not Azure. If you want to use IP instead of FQDN, you should use the IP you use to access Panorama. Even if it's a private one, it should work.

@@netsums ok thankyou final question. after I imported the saml xml file and then when I try to edit again to edit the SLO url, I get error on identity provider certificate. How to get that ? I tried to create self-sign on the palo but it didn’t work for this

Have you tried editing the SLO URL (Logout URL) on Azure first (instead of on the Palo), than exporting the XML?

@netsums didn’t do anything more other then the steps mentioned before importing to Palo Alto. Steps- 1) entered those three urls on saml config on azure 2) added claim mappings 3) downloaded the xml file and imported

There is a fourth url in Azure further to the bottom, called Logout URL. If I understood correctly, you didn't set that one in Azure, but you're changing it on the Palo Alto. Try setting that fourth Url on Azure and after that exporting the XML again. Let me know if it worked

I don't really understand your question. What do you mean with "sam registered app"? Can you give me an example?

So with have sso set up into panorama. At the moment tho is just with admin permissions for admins. Can you have read only permissions set for other users but whilst still have admin access for admins all done through the same enterprise registered app in azure. ?

If I understood your question correctly, you want a set of Azure users to have read-write permissions to Panorama and another set of users to have read-only access. As I explained in the video, you can control the access through the group membership in Azure (for example, users in group admin have access to all the features and and group readonly have only read-only access). The Palo Alto analyses the group passed from Azure and matches them to the configured admin roles to set the user roles. In the video I only gave an example with one Azure group, but you can configure several, if you need.

That’s great thank you. 👍