The Palo Alto Admin UI app from the Okta Integration Network (OIN) does not work for Palo Alto firewalls that are set up in High Availability (HA) since the active Palo configuration overwrites the passive Palo configuration. According to Palo Alto in Different SAML Profiles needed for Primary and Secondary devices in HA, this happens because the OIN app does not have access to the "Allow this app to request other SSO URLs" feature.
 

NOTE: For the attributes to work properly as listed in the instructions below, follow How to Configure SAML 2.0 for Palo Alto Networks - Admin UI for the Custom SAML App integration that will be created.

• Okta Integration Network (OIN)
• High Availability (HA)
• Custom SAML App Integration

The Palo Alto Admin UI app cannot be used for HA pairs, but a custom SAML app can be created and configured within Okta to allow for the HA pair configuration. Follow the steps below to complete that configuration:

1. Access the Okta Admin Console.

2. Navigate to the Applications > Applications section, and click the Create App Integration button.

3. Choose SAML 2.0 as the Sign-in method and click Next.

3. Provide a name for the custom SAML app, and click Next.

4. Fill out the General settings section with the following information:

   • Single sign-on URL: [baseURL]/SAML20/SP/ACS

   • Audience URI: [baseURL]/SAML20/SP

   • Name ID format: Unspecified

5. Click the Show Advanced Settings link to expand the settings and configure as follows:

   • Response signed: Signed

   • Assertion signed: Signed

   • Signature algorithm: RSA_SHA256

   • Digest algorithm: SHA256

   • Assertion encryption: Unencrypted

     • If Single Logout (SLO) is desired, a Signature Certificate needs to be uploaded.

       1. Single logout: enabled

       2. Single logout URL: [baseURL]/SAML20/SP/SLO

       3. SP issuer: [baseURL]/SAML20/SP

   • Signed requests: disabled

   • Requestable SSO URLs: Enter the URLs that are required for the environment. Make sure that each URL is included and each URL is the full SSO URL: [base URL]/SAML20/SP/ACS
   • Authentication context class: PasswordProtectedTransport

6. In the Attribute Statements section, add the following attributes with the Name format set to Unspecified:

   • Name: adminrole Value: appuser.adminrole

   • Name: domain Value: appuser.domain

   • Name: accessdomain Value: appuser.accessdomain

7. To send groups as part of the SAML assertion, in the Group Attribute Statements section:

   • Name: "groups"

   • Name format: Unspecified

   • Select the appropriate filter from the dropdown menu and type the preferred value.

8. Click Next to complete the app creation.

9. Assign users or groups to the app and save the changes.

10. Configure the Palo Alto firewalls to use the custom SAML app in Okta for SSO.

Related References

• Palo Alto KB Article: Different SAML Profiles needed for Primary and Secondary devices in HA

• Okta Documentation: How to Configure SAML 2.0 for Palo Alto Networks Admin UI