GlobalProtect Clientless VPN SAML SSO with Okta

GlobalProtect Clientless VPN SAML SSO with Okta

76579
Created On 09/26/18 19:10 PM - Last Modified 06/30/20 00:02 AM


Environment


PAN-OS 8.1 and above

Resolution


Author:  Scott Chiang, last revised 6/23/2017

PAN-OS:  version 8.0.x

Okta: Okta Platform Developer Edition

 

Background:

The goal of this document is to configure SAML SSO with Okta to GlobalProtect Clientless VPN

 

 

2017-07-07_10-55-06.png

 

Service Provider (SP) – Palo Alto Networks Firewall

Identity Provider (IdP) – Okta

Application – GlobalProtect Clientless VPN

 

 

Okta Documentation for SAML configuration for GlobalProtect

http://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-Palo-Alto-Networks-GlobalProtect.html

 

192.168.55.20 – GlobalProtect Portal and Clientless VPN Hostname

Okta - https://dev-824646.oktapreview.com

 

Okta

 

Applications configurations: (Admin > Applications > Add Application  )

 

Search for the Palo Alto Networks GlobalProtect Application > Add 

 large.png

 

 

 Base URL:

https://GlobalProtectPortalAddress/SAML20/SP/ACS

 large (1).png

 

 

  

Applications configurations: (Admin > Applications > Palo Alto Networks - GlobalProtect > Sign On)

 

 

2017-07-07_11-02-59.png

 

 

Download metadata to desktop

 large (2).png

 

 

  Palo Alto Networks Firewall

 

Server configurations: (Device tab > Server Profiles > SAML Identity Provider )

 

 Import Okta metadata

(Note: When you have self signed Certificate from IDP, you won't be able to enable Validate Identity Provider Certificate. Please make sure that you are on PAN-OS 8.1.15, 9.0.9, 9.1.3 or later to mitigate exposure to https://security.paloaltonetworks.com/CVE-2020-2021).
 

2017-07-07_11-06-26.png

 

 

2017-07-07_11-07-38.png

 

 

Authentication configurations: (Device tab > Authentication Profile )

 

 

2017-07-07_11-09-15.png

 

GlobalProtect Portal configurations: (Network tab > GlobalProtect > Portals

 

GlobalProtect Portal Authentication = SAML

 large (3).png

 

 

 GlobalProtect Clientless VPN Configuration

 

2017-07-07_11-11-29.png

 

Goto GlobalProtect Clientless VPN

https://192.168.55.20

 

Redirects to Okta to authenticate. Okta sends SAML assertion to firewall.

 2017-07-07_11-13-00.png

 

 

 

2017-07-07_11-14-02.png

 

System Logs: (Monitor tab > System )

 2017-07-07_11-15-36.png

 

 

 

How-To publish GlobalProtect Clientless VPN app in user Okta Portal with SSO

 

We don’t support IdP initiated workflow. As a workaround, use the Okta Bookmark App

 

Applications configurations: (Admin > Applications > Add Application  )

 

Search for the Bookmark App > Add

 2017-07-07_11-17-32.png

 

 

URL: https://GlobalProtectPortalAddress/global-protect/portal/portal.esp

 large (4).png

  

Applications configurations: (Admin > Applications > Palo Alto Networks - GlobalProtect > General )

 

Hide the Palo Alto Networks - GlobalProtect SAML application to users

 large (5).png

 

Log-in to Okta portal – https://mycompany.okta.com

 2017-07-07_11-21-36.png

 

 2017-07-07_11-22-28.png

 

 

 

 

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm2oCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language