Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
How to setup Azure SAML authentication with GlobalProtect - Knowledge Base - Palo Alto Networks

How to setup Azure SAML authentication with GlobalProtect

441497
Created On 05/15/20 00:59 AM - Last Modified 08/02/24 04:36 AM


Objective


Step-by-step instruction on how to setup Azure SAML authentication for GlobalProtect portal and gateway.

 


Environment


GlobalProtect authentication with Azure SAML

Procedure


Step 1. Login to Azure Portal  and navigate Enterprise application under All services


     User-added image


Step 2. Search for Palo Alto and select Palo Alto Global Protect

      User-added image


Step 3.Click ADD to add the app

      User-added image

Step 4. After App is added successfully> Click on Single Sign-on

     User-added image

Step 5. Select SAML option:

    User-added image


Step 6. Edit Basic SAML configuration by clicking edit button

     User-added image

Step 7. Fill out Sign-on URL,Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL) as follows

        GlobalProtect portal FQDN/IP address could be located by login into the firewall ang going under Network> Portal> Select the portal> Agent> Select config>External > Select External Gateway> Use either FQDN or IP address ip

       Sign-on URL:
         https://FQDN
         https://IP-address


      Identifier (Entity ID)
      https://FQDN:443/SAML20/SP
      https://IP-address:443/SAML20/SP

     Reply URL (Assertion Consumer Service URL)
      https://FQDN:443/SAML20/SP/ACS
      https://IP-address:443/SAML20/SP/ACS

For example:

        User-added image

Or IP address:

    User-added image

Step 8. Download the Federation Metadata XML and save it on your computer( This will be imported into the firewall).

       User-added image

       

(note)
Please don't have multiple certificates before downloading Metadata.
If there are multiple certificates (even if the status is inactive), Firewall cannot recognize the active certificate and it might cause authentication failure due to certificate mismatch. 

This conclude the config on Azure. Login to firewall and add SAML identity provider

Steps to configure SAML authentication to use it for GlobalProtect Portal and Gateway:

        Follow this article to configure GlobalProtect Portal/gateway 

SAML configuration steps:

Step 1. Login to firewall and Navigate to Device>SAML Identity provider >import


image.png
       
Step 2. Import the federed Metadata XML downloaded from Azure in step 8. 
        
image.png

     Option: Uncheck Validate Identity Provider certificate. If checked, Certificate from Azure is needs to be uploaded on firewall as well.

Step 3. Create Authentication Profile and select SAML and IDP server Profile

       


Step 4. Click on Advanced tab and select "Allow list"

       image.png

Step 5. Add authentication profile to GlobalProtect Portal

       image.png

Step 6. Add authentication profile to GlobalProtect gateway config:

     image.png

This concludes the configuration part.
        


 
 


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008U48CAE&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language