How to configure G-Suite SAML authentication for Global Protect

How to configure G-Suite SAML authentication for Global Protect

40988
Created On 06/04/20 20:16 PM - Last Modified 06/29/20 23:17 PM


Objective


This document has been created to provide a basic GP configuration for SAML integration with G-Suite as the IDP
Please pre-configure a Portal and Gateway using one of our logon modes
For assistance on Global Protect configuration unrelated to SAML configuration on the firewall and G-Suite console please review the below documents:

Basic GlobalProtect Configuration with On-Demand

Basic GlobalProtect Configuration with Pre-logon

Basic GlobalProtect Configuration with User-logon

Environment


  • G-Suite SAML
  • Pan-OS Firewalls
  • Global Protect Authentication

Procedure


Note: Be aware that SAML ACS URL, Entity ID, Portal FQDN/IP, and Portal Certificate SAN's must all match to create a seamless experience for the user. If these do not match you may see issues with certification verification during the redirection. For more information please see this document: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POXlCAO


Step 1. Login to G-Suite Admin Console

Step 2. Navigate to Apps > SAML Apps

SAML_Apps

Step 3. In the SAML Apps console, select the Yellow addition symbol to "Enable SSO for a SAML Application"

User-added image
Step 4. In the dialog window, select "Setup my own Custom App"

User-added image
Step 5. Select the option 2 download link, "IDP metadata Download".
  • Select "Next" after successfully downloading the metadata file

metadata

Step 6. Name the application, optionally you can upload a picture for your custom application here as well.
  • Select "Next" once ready

User-added image

Step 7. Here we will configure the Service Provider details such as ACS URL and Entity ID, the service provider being the firewall.
  • We will get this information by generating a service provider metadata file on the firewall.
  • Leave this window up and blank for now, we will work on the firewall to get this information.

User-added image

Step 7A. First we must import the IDP metadata from Step 5 to generate the SP metadata and continue with the application configuration.
  • On the firewall navigate to Device Tab > SAML identity provider

User-added image
  • Select "Import" and browse to import the IDP metadata file we downloaded in step 5.
  • We will unselect "validate identity provider certificate" and "validate metadata signature" if selected after import.
(Note: When you have self signed Certificate from IDP, you won't be able to enable Validate Identity Provider Certificate. Please make sure that you are on PAN-OS 8.1.15, 9.0.9, 9.1.3 or later to mitigate exposure to https://security.paloaltonetworks.com/CVE-2020-2021).
  • Select OK when finished.

User-added image


Step 7B. Next Navigate to Device > Authentication Profile > Add a new profile. 
Specify the below in the profile:
  • Authentication Tab > Type: SAML
  • Authentication Tab > Idp Server Profile: (Idp profile created in step 7b)
  • Advanced Tab > Allow List > Select Add > all
  • Rest of the config will be left as default, select OK once done.

User-added image

Note: Perform a commit at this step once Authentication Profile is configured. 

Step 7C. After committing the config, navigate back to Device > Authentication Profile.

User-added image
  • Under the authentication column you should see a "metadata" hyperlink, select it.


Step 7D. Selecting the Hyperlink will open a dialogue window labelled "SAML Metadata Export". Please review
  • Service drop down: Select "Global-Protect"
  • IP or Hostname: Select the hostname or ip of the portals/gateways where this is planned to be used.
  • Select OK and the SP Metadata file will begin automatically downloading to your workstation.

User-added image

Step 7E. Open the SP metadata file and find your ACS URL and EntityID.

User-added image
  • Now navigate back to the G-Suite console and plug the URLs into the configuration of the App, Select Next once finished.

User-added image

Note: Other fields will be left as default for this document.

Step 8. For this setup we won't go into attribute mappings, please select finish. Your application should now be finished and viewable in the G-Suite Console.

User-added image

Step 9. Now that your application on the IDP is complete, we will use the previously created authentication profile for our GP logon method.

Specify the GSuite Auth Profile from Step 7B in your portal/gateway configuration
  • For the Portal: Network > Portal > Select your Portal > Authentication > Client Authentication > Authentication Profile

User-added image
  • For the Gateway: Network > Gateways > Select your gateway > Authentication > Client Authentication > Authentication Profile

User-added image
  • Commit the changes made here, we should be ready to test the setup.
Step 10. Let's Test the Setup
  • Start a connection to the portal from the client application

User-added image
  • A redirection to your IDP will bring up your google account's login page. Logon using your G-Suite credentials
User-added image
  • If the user is enrolled in 2FA, they will be prompted for 2FA auth after their password.

User-added image
  • User should be redirected back to service provider and connected after successfully authenticating with G-Suite.
User-added image
 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008UIjCAM&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language