SSO Guidelines for the Cloud-Delivered Firewall Management Center

Keep the following in mind when you configure a Cloud-Delivered Firewall Management Center to be a member of an SSO federation:

  • The Cloud-Delivered Firewall Management Center can support SSO with only one SSO provider at a time—you cannot configure the Cloud-Delivered Firewall Management Center to use, for instance, both Okta and OneLogin for SSO.

  • Cloud-Delivered Firewall Management Center Cloud-Delivered Firewall Management Centers in a high availability configuration can support SSO, but you must keep the following considerations in mind:

    • SSO configuration is not synchronized between the members of the high availability pair; you must configure SSO separately on each member of the pair.

    • Both Cloud-Delivered Firewall Management Centers in a high availability pair must use the same IdP for SSO. You must configure a service provider application at the IdP for each Cloud-Delivered Firewall Management Center configured for SSO.

    • In a high availability pair of Cloud-Delivered Firewall Management Centers where both are configured to support SSO, before a user can use SSO to access the secondary Cloud-Delivered Firewall Management Center for the first time, that user must first use SSO to log into the primary Cloud-Delivered Firewall Management Center at least once.

    • When configuring SSO for Cloud-Delivered Firewall Management Centers in a high availability pair:

      • If you configure SSO on the primary Cloud-Delivered Firewall Management Center, you are not required to configure SSO on the secondary Cloud-Delivered Firewall Management Center.

      • If you configure SSO on the secondary Cloud-Delivered Firewall Management Center, you are required to configure SSO on the primary Cloud-Delivered Firewall Management Center as well. (This is because SSO users must login into the primary Cloud-Delivered Firewall Management Center at least once before logging into the secondary Cloud-Delivered Firewall Management Center.)

  • In a Cloud-Delivered Firewall Management Center that uses multi-tenancy, the SSO configuration can be applied only at the global domain level, and applies to the global domain and all subdomains.

  • Only users with the Admin role authenticated internally or by LDAP or RADIUS can configure SSO.

  • The Cloud-Delivered Firewall Management Center does not support SSO initiated from the IdP.

  • The Cloud-Delivered Firewall Management Center does not support logging in with CAC credentials for SSO accounts.

  • Do not configure SSO in deployments using CC mode.

  • SSO activities are logged in the Cloud-Delivered Firewall Management Center audit log with Login or Logout specified in the Subsystem field.