How to add DUO SAML authentication to GlobalProtect

How to add DUO SAML authentication to GlobalProtect

16646
Created On 09/28/22 18:50 PM - Last Modified 05/08/24 20:26 PM


Objective


Configure DUO SAML authentication for GlobalProtect.

Environment


  • PaloAlto firewall
  • Active Directory Domain Controller on prem
  • GlobalProtect already configured to connect to external gateway. it uses LDAP authentication profile.
  • A service account exists in AD with read permissions

Procedure


1. Create admin account in DUO:
  • go to https://duo.com
  • click Free Trialimage.png
  • Fill in required details
  • Enable Duo push with Duo Mobile app, follow on screen instructions


image.png



image.png

2. To use SAML we need to configure Single Sign On and Authentication source first.
  • on your AD DC open Duo Admin Panel and click Single Sign-On
  • agree T&C, click Activate and Start Setup
  • it's not possible to customize SSO subdomain in free trial
  • on the Add Authentication Source page choose Active Directory
  • Install the Authentication Proxy - it is an application which links your DUO account and on prem Active Directory. Later when you log in to GP, it will check if there is a valid user in AD
  • click on Add Authentication Proxy, download installer and install it
  • Find and open authproxy.cfg (C:\Program Files\Duo Security Authentication Proxy\conf\authproxy.cfg) or open Duo Authentication Proxy Manager
  • add service account credentials to authproxy.cfg, in DUO click your newly created Authentication proxy
  • click Copy next to point 1.2 in Duo portal and paste content in authproxy.cfg, uncomment lines with service account username and password and enter credentials, for example
[sso]
rikey=...
service_account_username=...
service_account_password=...
  • in [ad client] section of authproxy.cfg, uncomment and add your AD DC IP address, service account credentials and search_dn, for example:
[ad_client]
host=10.193.182.20
service_account_username=...
service_account_password=...
search_dn=DC=pantac-182-20,DC=local
 
  • click Validate, in case of any errors correct configuration
  • back on DUO portal connect the Authentication Proxy to Duo, click Generate Command, open command line on AD DC with elevated privileges, paste command and execute
  • click Run test under "3. Verify the proxy is connected", it should say Connected to Duo
  • click Return to Configuration to return to the "Active Directory Configuration" page
Configure Active Directory as followsimage.png
image.png

3. Get and configure a domain.
  • before next step we need to get our own domain. Usually in corporate environments there is already a domain owned by a company. Idea is users can log in only using corporate email address. Since this is a lab set up we don't have a corporate domain but we can get one for free. Later we will add email attributes in AD using our new domain
  • please visit https://www.freenom.com
  • enter chosen domain name and click Check availability
  • there should be a free domain listedimage.png
  • if you click Get it now, it says not available. You must add TLD in search box so in our example is-there-any-free-domain.tk, search again and you should seeimage.png
  • finish the process along with registration if you don't have account
  • in Freenom go to Services > My Domain, click Manage Domain > Manage Freenom DNS
  • in DUO portal move to step 3 Permitted Email Domains
  • add your domain name in 3.1
  • copy DNS record from 3.2 and go to Freenom portal
  • create TXT record and pasted copied value to Target fieldimage.png
  • wait a few minutes and click Verifyimage.png
  • status should be verifiedimage.png
  • move to point 4. Test Active Directory Configuration and click Run tests, you should see messageimage.png
4. Create the Palo Alto GlobalProtect Application in Duo
  • in DUO portal go to Applications, click Protect an Application, select Palo Alto GlobalProtect with protection type 2FA with SSO hosted by Duo, click Protect
  • download IdP metadata by clicking Download XML
  • in Domain name type IP/FODN of you GP portal/gateway
  • select Show new Universal Prompt
  • leave default policy settings
  • enter name for your protected application
  • save
5. Configure DUO in Palo Alto firewall
  • Device > Server profile > SAML IdP, click Import
  • enter profile name
  • click Browse and select IdP metadata xml file you downloaded in previous step
  • uncheck Validate Identity Provider Certificate
  • leave other options as default and click OK


image.png


6. Add Authentication Profile
  • Device > Authentication profile, click Add
  • enter name, in Type choose SAML, choose newly created IdP Server Profile
  • Certificate for Signing Request - None
  • in Username Attribute field type User.Username
  • in Advanced tab select all in Allow List

image.png

7. Configure GlobalProtect portal with SSO
  • Network > GlobalProtect > Portals, select your portal, select Authentication tab
  • select your client authentication configuration you'd like to configure with SSO
  • in authentication profile select DUO profile you created earlier, click OKimage.png
  • select Agent tab, choose your config, on the Authentication tab click the drop-down next to Save User Credentials and select Yes
  • select Generate cookie for authentication override and Accept cookie for authentication override
  • choose cookie lifetime and certificate to encrypt/decrypt cookie, click OK twiceimage.png
8. Configure GlobalProtect gateway with SSO
  • Network > GlobalProtect > Gateways, select your gateway, select Authentication tab
  • select your client authentication configuration you'd like to configure with SSO
  • in authentication profile select DUO profile you created earlier, click OK
  • click on Agent tab > Client settings, select your client settings, click Authentication Override tab
  • select Generate cookie for authentication override and Accept cookie for authentication override
  • choose cookie lifetime and the same certificate to encrypt/decrypt cookie, click OK twice
  • commit changes
9. Add email attribute for users in your AD, email needs to be in domain which you verified in DUO, in my example palolab.tk
  • go to your AD in Windows Server
  • open Server Manager, click Tools > Active Directory Users and Computers
  • in new window click View  and make sure Advanced features are selected
  • select user to edit, choose Properties
  • select Attribute Editor tab, locate mail attribute and edit it, it should be <username>@<domain>, for example for sAMAccountName user1 mail should be user1@palolab.tk, click OK
  • repeat it for all users who will be using GO with DUO
10. Add users in GP duo
  • in DUO portal go to Users, click Add User, enter username, full name and email address in the same format as in AD, for example user1@palolab.tk
  • set status to Active, save changes
11. Test your settings by connecting with GP, you will be enrolled to DUO after first login
  • select your portal and click Connect, you will be redirected with following message

image.png
  • type your email and password

image.png
  • click Next


image.png
  • skip Duo Device Health
  • select Duo Mobile
  • enter your phone number, click Add, click Yes it's correct
  • click Send me a passcode, enter passcode from your mobile phone, click Verify
  • open DUO Mobile app on mobile phone (download it from store if you didn't do it earlier)
  • tap Add and use QR code, scan QR code on screen, enter account name
  • you should see following message

image.png
  • click Continue and Log in with Duo

image.png
  • choose Duo Push when logging

image.png
  • accept in DUO mobile

​​​​​​image.png


image.png
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sZIICA2&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail