How to configure G-Suite SAML authentication for Global Protect
57020
Created On 06/04/20 20:16 PM - Last Modified 06/29/20 23:17 PM
Objective
This document has been created to provide a basic GP configuration for SAML integration with G-Suite as the IDP
Please pre-configure a Portal and Gateway using one of our logon modes
For assistance on Global Protect configuration unrelated to SAML configuration on the firewall and G-Suite console please review the below documents:
Basic GlobalProtect Configuration with On-Demand
Environment
- G-Suite SAML
- Pan-OS Firewalls
- Global Protect Authentication
Procedure
Note: Be aware that SAML ACS URL, Entity ID, Portal FQDN/IP, and Portal Certificate SAN's must all match to create a seamless experience for the user. If these do not match you may see issues with certification verification during the redirection. For more information please see this document: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POXlCAO
Step 1. Login to G-Suite Admin Console
Step 2. Navigate to Apps > SAML Apps
Step 3. In the SAML Apps console, select the Yellow addition symbol to "Enable SSO for a SAML Application"
Step 4. In the dialog window, select "Setup my own Custom App"
Step 5. Select the option 2 download link, "IDP metadata Download".
- Select "Next" after successfully downloading the metadata file
Step 6. Name the application, optionally you can upload a picture for your custom application here as well.
- Select "Next" once ready
Step 7. Here we will configure the Service Provider details such as ACS URL and Entity ID, the service provider being the firewall.
- We will get this information by generating a service provider metadata file on the firewall.
- Leave this window up and blank for now, we will work on the firewall to get this information.
Step 7A. First we must import the IDP metadata from Step 5 to generate the SP metadata and continue with the application configuration.
- On the firewall navigate to Device Tab > SAML identity provider
- Select "Import" and browse to import the IDP metadata file we downloaded in step 5.
- We will unselect "validate identity provider certificate" and "validate metadata signature" if selected after import.
(Note: When you have self signed Certificate from IDP, you won't be able to enable Validate Identity Provider Certificate. Please make sure that you are on PAN-OS 8.1.15, 9.0.9, 9.1.3 or later to mitigate exposure to https://security.paloaltonetworks.com/CVE-2020-2021).
- Select OK when finished.
Step 7B. Next Navigate to Device > Authentication Profile > Add a new profile.
Specify the below in the profile:
- Authentication Tab > Type: SAML
- Authentication Tab > Idp Server Profile: (Idp profile created in step 7b)
- Advanced Tab > Allow List > Select Add > all
- Rest of the config will be left as default, select OK once done.
Note: Perform a commit at this step once Authentication Profile is configured.
Step 7C. After committing the config, navigate back to Device > Authentication Profile.
- Under the authentication column you should see a "metadata" hyperlink, select it.
Step 7D. Selecting the Hyperlink will open a dialogue window labelled "SAML Metadata Export". Please review
- Service drop down: Select "Global-Protect"
- IP or Hostname: Select the hostname or ip of the portals/gateways where this is planned to be used.
- Select OK and the SP Metadata file will begin automatically downloading to your workstation.
Step 7E. Open the SP metadata file and find your ACS URL and EntityID.
- Now navigate back to the G-Suite console and plug the URLs into the configuration of the App, Select Next once finished.
Note: Other fields will be left as default for this document.
Step 8. For this setup we won't go into attribute mappings, please select finish. Your application should now be finished and viewable in the G-Suite Console.
Step 9. Now that your application on the IDP is complete, we will use the previously created authentication profile for our GP logon method.
Specify the GSuite Auth Profile from Step 7B in your portal/gateway configuration
- For the Portal: Network > Portal > Select your Portal > Authentication > Client Authentication > Authentication Profile
- For the Gateway: Network > Gateways > Select your gateway > Authentication > Client Authentication > Authentication Profile
- Commit the changes made here, we should be ready to test the setup.
- Start a connection to the portal from the client application
- A redirection to your IDP will bring up your google account's login page. Logon using your G-Suite credentials
- If the user is enrolled in 2FA, they will be prompted for 2FA auth after their password.
- User should be redirected back to service provider and connected after successfully authenticating with G-Suite.