Explanation
This combination of service and application, and order of Security policy rules, allows clear-text web-browsing traffic to the server on tcp/443. The first rule matches the web-browsing application on the service-https service, which is a predefined service object that includes tcp/443 as the default port. The second rule matches the ssl application on the application-default service, which is a dynamic service object that includes the default ports for each application. This rule is needed to allow the decrypted ssl traffic to pass through the firewall after the Forward Proxy rule. The order of the rules is important because the firewall evaluates the rules from top to bottom and applies the first matching rule.
https://live.paloaltonetworks.com/t5/general-topics/web-browsing-default-port-application/td-p/228859

Explanation
To configure LDAP authentication on Panorama, you need to
Define an LDAP server profile that specifies the connection details and credentials for accessing the LDAP server.
Define an authentication profile that references the LDAP server profile and defines how users authenticate to Panorama (such as username format and password expiration).
Define an authentication sequence (optional) that allows users to authenticate using multiple methods (such as local database, LDAP, RADIUS, etc.).
Assign the authentication profile or sequence to a Panorama administrator role or a device group role.

Explanation
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1OCAS change the Group IDs in the High Availability settings to be different from the other firewall pair on the same subnet. This will prevent the MAC addresses from conflicting and allow the firewalls to properly route traffic. You can also configure a floating IP between the firewall pairs if necessary.

Explanation
SSO is available to administrators who access the web interface and to end users who access applications through GlobalProtect or Captive Portal. SLO is available to administrators and GlobalProtect end users, but not to Captive Portal end users.
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/authentication/authentication-types/saml
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-web-interface-help/device/device-server-profiles-saml-ide

Explanation
Read-only access to all firewall settings except password profiles (no access) and administrator accounts (only the logged in account is visible).
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/firewall-administration/manage-firewall-administra