GlobalProtect Clientless VPN SAML SSO with Okta - Knowledge Base - Palo Alto Networks

GlobalProtect Clientless VPN SAML SSO with Okta

90193

Created On 09/26/18 19:10 PM - Last Modified 06/30/20 00:02 AM

SAML

8.1

9.0

9.1

GlobalProtect

Environment

PAN-OS 8.1 and above

Resolution

Author: Scott Chiang, last revised 6/23/2017

PAN-OS: version 8.0.x

Okta: Okta Platform Developer Edition

Background:

The goal of this document is to configure SAML SSO with Okta to GlobalProtect Clientless VPN

Service Provider (SP) – Palo Alto Networks Firewall

Identity Provider (IdP) – Okta

Application – GlobalProtect Clientless VPN

Okta Documentation for SAML configuration for GlobalProtect

http://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-Palo-Alto-Networks-GlobalProtect.html

192.168.55.20 – GlobalProtect Portal and Clientless VPN Hostname

Okta - https://dev-824646.oktapreview.com

Okta

Applications configurations: (Admin > Applications > Add Application )

Search for the Palo Alto Networks GlobalProtect Application > Add

Base URL:

https://GlobalProtectPortalAddress/SAML20/SP/ACS

large (1).png

Applications configurations: (Admin > Applications > Palo Alto Networks - GlobalProtect > Sign On)

Download metadata to desktop

large (2).png

Palo Alto Networks Firewall

Server configurations: (Device tab > Server Profiles > SAML Identity Provider )

Import Okta metadata

(Note: When you have self signed Certificate from IDP, you won't be able to enable Validate Identity Provider Certificate. Please make sure that you are on PAN-OS 8.1.15, 9.0.9, 9.1.3 or later to mitigate exposure to https://security.paloaltonetworks.com/CVE-2020-2021).