1. Home
  2. Docs
  3. Application Integrations
  4. PaloAlto GlobalProtect VPN SAML

PaloAlto GlobalProtect VPN SAML

Introduction

This document explains how to configure PureAUTH authentication for PaloAlto GlobalProtect VPN with LDAP.

Prerequisites

Before discussing configuration steps, make sure you have configured GlobalProtect Portals and Gateways.

STEP 1: Configure LDAP Server Profile

To add LDAP Server Profile follow below steps:

  1. Go to Device > Server Profiles > LDAP
  2. Click on Add
  3. You will see this pop-up. Fill up the LDAP server credentials and Click OK.

STEP 2: Configure SAML Identity Provider Server Profile for PureAUTH

Before starting configuration of SAML Identity Provider, make sure you have on-boarded your Organization and Users on PureAUTH.

Follow the steps to configure SAML Identity Provider:

  1. Login to PureAUTH
  2. Add a new PaloAlto GlobalProtect SAML application.
    1. Enter Application Name.
    2. Dataset for email: Select appropriate User dataset attribute
    3. Domain: Enter your GlobalProtect Portal or Gateway domain name or IP address ( For example: 1.1.1.1 or vpn.acme.com )
    4. Click on Add.
  3. Download X509 Certificate
  4. In PaloAlto portal, go to Device > Certificate Management > Certificates
  5. Click on Import.
  6. Enter Certificate Name and select certificate file which we recently downloaded from PureAUTH portal.

After successfully importing certificate

  • Go to Device > Server Profiles > SAML Identity Provider and Click on Add.
  1. Profile Name: Enter profile name
  2. Identity Provider ID: Paste Issuer URL from PureAUTH portal
  3. Identity Provider Certificate: Select Certificate which we recently imported
  4. Identity Provider SSO URL: Paste Login URL from PureAUTH portal
  5. SAML HTTP Binding for SSO Requests to IDP: Select POST
  6. SAML HTTP Binding for SLO Requests to IDP: Select POST
  7. Unchecked both checkboxes for Validate Identity Provider Certificate and Sign SAML Message to IDP.
  8. Click on OK.

STEP 3: Configure User Identification

  1. Go to Device > User Identification > Group Mapping Settings and click Add.
  2. Enter Name for Group Mapping.
  3. Under Server Profile tab, Select LDAP Server Profile.
  4. Go to Group Include List tab.
  5. Include the groups from the LDAP which you want to allow. Click on OK.

STEP 4: Configure Authentication Profiles

Follow below steps to configure:

  1. Go to Device > Authentication Profile, and Click Add.
  2. Name: Enter a name for Authentication Profile
  3. Authentication > Type: Select SAML
  4. Authentication > IdP Server Profile: Select SAML Identity Provider Server Profile
  5. Authentication > Username attribute: It will be the LDAP attribute name to map user value (NameID from SAML Response IdP) with your LDAP server.
  6. Now go to Advanced tab.
  7. In the Allow List, add the group which we previously added in User Identification and click OK.

STEP 5: Configure GlobalProtect Gateways and Portals with Authentication Profiles

In Configure Portal

  1. In Configure Portal Go to Network > GlobalProtect > Portal and click on the name of the Portal which you want to assign the SAML authentication profile.
  2. Go to the Authentication tab, under Client Authentication click Add and select appropriate Authentication Profile.
  3. Now, go to Agent tab, and open Agent configuration.

In the Authentication tab:

  1. Select Save User Credentials to Save Username Only.
  2. Under Authentication Override, check Generate cookie for authentication override and Accept cookie for authentication override.
  3. Select certificate for Certificate to Encrypt/Decrypt Cookie.

In Configure Gateway tab:

  1. Go to Network > GlobalProtect > Gateway and click on the name of the Gateway which you want to assign the SAML authentication profile.
  2. Go to the Authentication tab, under Client Authentication click Add and select appropriate Authentication Profile.
  3. Now, go to Agent > Client Settings and select a client setting profile.

In the Authentication override tab:

  1. Check Generate cookie for authentication override and Accept cookie for authentication override
  2. Select certificate for Certificate to Encrypt/Decrypt Cookie
  3. Click OK.
  4. Now, after making those changes let’s Commit the changes.
Was this article helpful to you? Yes No