Introduction
This document explains how to configure PureAUTH authentication for PaloAlto GlobalProtect VPN with LDAP.
Prerequisites
Before discussing configuration steps, make sure you have configured GlobalProtect Portals and Gateways.
STEP 1: Configure LDAP Server Profile
To add LDAP Server Profile follow below steps:
- Go to Device > Server Profiles > LDAP
- Click on Add
- You will see this pop-up. Fill up the LDAP server credentials and Click OK.
STEP 2: Configure SAML Identity Provider Server Profile for PureAUTH
Before starting configuration of SAML Identity Provider, make sure you have on-boarded your Organization and Users on PureAUTH.
Follow the steps to configure SAML Identity Provider:
- Login to PureAUTH
- Add a new PaloAlto GlobalProtect SAML application.
- Enter Application Name.
- Dataset for email: Select appropriate User dataset attribute
- Domain: Enter your GlobalProtect Portal or Gateway domain name or IP address ( For example: 1.1.1.1 or vpn.acme.com )
- Click on Add.
- Download X509 Certificate
- In PaloAlto portal, go to Device > Certificate Management > Certificates
- Click on Import.
- Enter Certificate Name and select certificate file which we recently downloaded from PureAUTH portal.
After successfully importing certificate
- Go to Device > Server Profiles > SAML Identity Provider and Click on Add.
- Profile Name: Enter profile name
- Identity Provider ID: Paste Issuer URL from PureAUTH portal
- Identity Provider Certificate: Select Certificate which we recently imported
- Identity Provider SSO URL: Paste Login URL from PureAUTH portal
- SAML HTTP Binding for SSO Requests to IDP: Select POST
- SAML HTTP Binding for SLO Requests to IDP: Select POST
- Unchecked both checkboxes for Validate Identity Provider Certificate and Sign SAML Message to IDP.
- Click on OK.
STEP 3: Configure User Identification
- Go to Device > User Identification > Group Mapping Settings and click Add.
- Enter Name for Group Mapping.
- Under Server Profile tab, Select LDAP Server Profile.
- Go to Group Include List tab.
- Include the groups from the LDAP which you want to allow. Click on OK.
STEP 4: Configure Authentication Profiles
Follow below steps to configure:
- Go to Device > Authentication Profile, and Click Add.
- Name: Enter a name for Authentication Profile
- Authentication > Type: Select SAML
- Authentication > IdP Server Profile: Select SAML Identity Provider Server Profile
- Authentication > Username attribute: It will be the LDAP attribute name to map user value (NameID from SAML Response IdP) with your LDAP server.
- Now go to Advanced tab.
- In the Allow List, add the group which we previously added in User Identification and click OK.
STEP 5: Configure GlobalProtect Gateways and Portals with Authentication Profiles
In Configure Portal
- In Configure Portal Go to Network > GlobalProtect > Portal and click on the name of the Portal which you want to assign the SAML authentication profile.
- Go to the Authentication tab, under Client Authentication click Add and select appropriate Authentication Profile.
- Now, go to Agent tab, and open Agent configuration.
In the Authentication tab:
- Select Save User Credentials to Save Username Only.
- Under Authentication Override, check Generate cookie for authentication override and Accept cookie for authentication override.
- Select certificate for Certificate to Encrypt/Decrypt Cookie.
In Configure Gateway tab:
- Go to Network > GlobalProtect > Gateway and click on the name of the Gateway which you want to assign the SAML authentication profile.
- Go to the Authentication tab, under Client Authentication click Add and select appropriate Authentication Profile.
- Now, go to Agent > Client Settings and select a client setting profile.
In the Authentication override tab:
- Check Generate cookie for authentication override and Accept cookie for authentication override
- Select certificate for Certificate to Encrypt/Decrypt Cookie
- Click OK.
- Now, after making those changes let’s Commit the changes.