Authentication Features
New Authentication Features Description
SAML 2.0 Authentication The firewall and Panorama can now function as Security Assertion Markup Language (SAML) 2.0 service providers to enable single sign-on and single logout for end users (see SAML 2.0 Authentication for GlobalProtect) and for administrators. SAML enhances the user experience by enabling a single, interactive login to provide automatic access to multiple authenticated services that are internal or external to your organization. In addition to authenticating administrator accounts that are local to the firewall and Panorama, you can use SAML to authenticate and assign roles to external administrator accounts in the identity provider (IdP) identity store.
Authentication Policy and Multi-Factor Authentication To protect your network resources from attackers, you can use the new Authentication policy to ensure all your end users authenticate when they access those resources. Authentication policy is an improved replacement for Captive Portal policy, which enforced authentication only for some users. Authentication policy has the additional benefit of enabling you to choose how many authentication challenges of different types (factors) users must respond to. Using multiple factors of authentication (MFA) is particularly useful for protecting your most sensitive resources. For example, you can force users to enter a login password and then enter a verification code that they receive by phone. This approach ensures attackers can’t invade your network and move laterally through it just by stealing passwords. If you want to spare users the hassle of responding to multiple challenges for resources that don’t need such a high degree of protection, you can also have Authentication policy rules that enforce only password or certificate authentication. The firewall makes it easy to implement MFA in your network by integrating directly with several MFA platforms (Duo v2, Okta Adaptive, and PingID) and integrating through RADIUS with all other MFA platforms.
TACACS+ User Account Management To use a Terminal Access Controller Access-Control System Plus (TACACS+) server for centrally managing all administrative accounts, you can now use Vendor-Specific Attributes (VSAs) to manage the accounts of firewall and Panorama administrators. TACACS+ VSAs enable you to quickly reassign administrator roles and access domains without reconfiguring settings on the firewall and Panorama.
Authentication Using Custom Certificates You can now deploy custom certificates to replace the predefined certificates shipped on Palo Alto Networks devices for management connections between Panorama, firewalls, and Log Collectors. By generating and deploying unique certificates for each device, you can establish a unique chain of trust between Panorama and the managed devices. You can generate these custom certificates locally or import them from an existing enterprise public key infrastructure (PKI). Panorama can manage devices in environments with a mix of predefined and custom certificates. You can also deploy custom certificates for mutual authentication between the firewall and Windows User-ID Agent. This allows the firewall to confirm the Windows User-ID Agent's identity before accepting User-ID information from the agent. Deploy a custom certificate on the Windows User-ID Agent and a certificate profile on the firewall, containing the CA of the certificate, to establish a unique trust chain between the two devices.
Authentication for External Dynamic Lists The firewall now validates the digital certificates of SSL/TLS servers that host external dynamic lists, and, if the servers enforce basic HTTP username/password authentication (client authentication), the firewall can forward login credentials to gain access to the lists. If an external dynamic list source fails server or client authentication, the firewall does not retrieve the list and ceases to enforce policy based on its contents. These security enhancements help ensure that the firewall retrieves IP addresses, domains, or URLs from a valid source over a secure, private channel.

Related Documentation