Palo Alto firewalls support SAML based authentication to the Web Console, and Microsoft has a good documentation on how to configure the base setup. You can refer that here.
However, one problem with the example in that documentation is that it only allows the configuration of one role to all users. That means, all users who are assigned the application in Azure AD will get the same access. It is not desirable when we need to have different role based access to the firewalls based on their group membership.
It is possible by modifying the attribute and claims section of the SAML configuration in Azure AD (Section Configure Azure AD SSO, step 6, in the link above)
All we need to do is to configure claim conditions in the SAML attributes and Claims section. Based on the user’s membership, the “adminrole” claim should return the role they can access in the firewall. Refer to the diagram below for example.
What I did here is to add 2 conditions:
- If the user is a member of the group “Firewall Read Only Admins”, then return the rolename “firewallreadonlyadmin”
- If the user is a member of the group “Firewall Admins”, then return the rolename “firewalladmin”
Similarly, any number of roles can be added. Just have to make sure that the admin profiles are created in the firewall with the same names.
So overall, the process is as follows:
- Within Azure AD, create a number of groups according to the needs, and assign the users
- Within Azure AD, Enterprise Application for firewall and assign them to the groups accordingly
- Within the Enterprise application, configure SAML according to the documentation:
- In the SAML attributes and claim sections, configure claim conditions. Based on the user’s membership, the “adminrole” claim should return the role they can access in the firewall.
- Configure SAML authentication in the firewall
- Create the different roles within the firewall based on profile.