How to setup OneLogin SAML authentication for GlobalProtect

• To provide a basic GP configuration for SAML integration with OneLogin as the IDP.
• Configure GP Portal and Gateway using one of the logon modes (On-Demand, Pre-logon, or User-logon).
• Then follow the steps below for SAML configuration on the firewall and OneLogin dashboard.

• Palo Alto Firewalls
• Supported Pan-OS
• OneLogin
• SAML Global Protect

1. Log in to the OneLogin Dashboard.
2. Navigate to the Applications and click Add Apps. Search for SAML, and select SAML Test Connector (IdP).

3. When Prompted, change the Display Name of the App, Click Save

4. Go to the SSO tab and copy IdP metadata values for Issuer URL, SAML 2.0 Endpoint (HTTP), and SLO Endpoint (HTTP), or SAML Metadata under More Actions to download the SAML IdP Metadata

• Go to the SSO tab, and copy the IdP metadata values for Issuer URL, SAML 2.0 Endpoint (HTTP), and SLO Endpoint (HTTP) or click SAML Metadata under More Actions to download the SAML IdP Metadata.

6. Import the SAML IdP metadata XML downloaded in Step 4. Uncheck "Validate Identity Provider Certificate" and "Validate Metadata Signature" if selected after import. Click "OK"

7. Next, go to Device > Authentication Profile > Add to add a new profile. Specify the following

• Authentication Tab > Type: SAML
• Username Attribute > username
• Authentication Tab > Idp Server Profile (profile created in step 6)
• Advanced Tab > Allow List > Select Add > All
• Select OK once done.

8. Commit the changes on the Firewall
9. Click on Metadata hyperlink under Authentication Column

Select the Metadata hyperlink and set the below settings

• Service drop-down > Select "global-protect"
• IP or Hostname > Select the hostname or ip of the portals/gateway where this is planned to be used
• Select OK and the SP Metadata file will begin automatically downloading to your workstation.

10. Open the downloaded XML file and copy the EntiryID and ACL URL.

11. Navigate back to the Onelogin dashboard > Applications > SAML Test Connector (idP) > Configuration. Complete the settings as shown below

• Audience (EntityID) > The Entity ID you copied in the Step 10.
• ACS (Consumer) URL > The ACS URL you copied in the Step 10.
• ACS (Consumer) URL Validator >  Provide a valid regular expression. For example:
• [-a-zA-Z0-9@:%._\+~#=]{2,256}\.[a-z]{2,6}\b([-a-zA-Z0-9@:%_\+.~#?&//=]*)
• Click Save.

12. The OneLogin SAML authentication profile is now ready for use. 

• Go to the firewall web interface and specify the OneLogin_GP_Auth profile in your Portal/Gateway configuration.
• For the Portal: Goto Network tab > Portal > Select Portal > Authentication > Client Authentication > Authentication Profile

• For the Gateway: Goto Network tab > Portal > Select Portal > Authentication > Client Authentication > Authentication Profile

• Commit the changes.

Please refer to the following articles for configuring Globalprotect Portal and Gateway.

Basic GlobalProtect Configuration with On-Demand

Basic GlobalProtect Configuration with Pre-logon

Basic GlobalProtect Configuration with User-logon