How to setup Azure SAML authentication with GlobalProtect
441497
Created On 05/15/20 00:59 AM - Last Modified 08/02/24 04:36 AM
Objective
Step-by-step instruction on how to setup Azure SAML authentication for GlobalProtect portal and gateway.
Environment
GlobalProtect authentication with Azure SAML
Procedure
Step 1. Login to Azure Portal and navigate Enterprise application under All services
Step 2. Search for Palo Alto and select Palo Alto Global Protect
Step 3.Click ADD to add the app
Step 4. After App is added successfully> Click on Single Sign-on
Step 5. Select SAML option:
Step 6. Edit Basic SAML configuration by clicking edit button
Step 7. Fill out Sign-on URL,Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL) as follows
GlobalProtect portal FQDN/IP address could be located by login into the firewall ang going under Network> Portal> Select the portal> Agent> Select config>External > Select External Gateway> Use either FQDN or IP address ip
Sign-on URL:
https://FQDN
https://IP-address
Identifier (Entity ID)
https://FQDN:443/SAML20/SP
https://IP-address:443/SAML20/SP
Reply URL (Assertion Consumer Service URL)
https://FQDN:443/SAML20/SP/ACS
https://IP-address:443/SAML20/SP/ACS
For example:
Or IP address:
Step 8. Download the Federation Metadata XML and save it on your computer( This will be imported into the firewall).
(note)
Please don't have multiple certificates before downloading Metadata.
If there are multiple certificates (even if the status is inactive), Firewall cannot recognize the active certificate and it might cause authentication failure due to certificate mismatch.
This conclude the config on Azure. Login to firewall and add SAML identity provider
Steps to configure SAML authentication to use it for GlobalProtect Portal and Gateway:
Follow this article to configure GlobalProtect Portal/gateway
SAML configuration steps:
Step 1. Login to firewall and Navigate to Device>SAML Identity provider >import
Step 2. Import the federed Metadata XML downloaded from Azure in step 8.
Option: Uncheck Validate Identity Provider certificate. If checked, Certificate from Azure is needs to be uploaded on firewall as well.
Step 3. Create Authentication Profile and select SAML and IDP server Profile
Step 4. Click on Advanced tab and select "Allow list"
Step 5. Add authentication profile to GlobalProtect Portal
Step 6. Add authentication profile to GlobalProtect gateway config:
This concludes the configuration part.