topic Authentication Cookies Generation and Authentication in GlobalProtect Discussions https://live.paloaltonetworks.com/t5/globalprotect-discussions/authentication-cookies-generation-and-authentication/m-p/482096#M2691 <P>I am trying to a set up an implementation of pre-logon, then SAML w/ Client Certificates.</P><P>&nbsp;</P><P>Utilizing a machine certificate I can configure how I want with no issues, but using only a client (user) certificate, pre-logon doesn't work, which is expected since the certificate is not in the computer's personal store, but the user's.</P><P>&nbsp;</P><P>In order to combat this, I've attempted to set up the following:</P><P>&nbsp;</P><P><STRONG>Portal agents:</STRONG></P><P>&nbsp;</P><TABLE border="1" width="100%"><TBODY><TR><TD width="33.333333333333336%">Pre-logon</TD><TD width="33.333333333333336%">pre-logon group</TD><TD width="33.333333333333336%">Accept auth cookies</TD></TR><TR><TD width="33.333333333333336%">LoggedOn</TD><TD width="33.333333333333336%">any group</TD><TD width="33.333333333333336%">Generate auth cookies</TD></TR></TBODY></TABLE><P>Authentication Profile: SAML</P><P>Certificate profile: InternalCAProf</P><P>&nbsp;</P><P><STRONG>Gateway clients:</STRONG></P><TABLE border="1" width="100%"><TBODY><TR><TD width="33.333333333333336%" height="30px">Pre-logon</TD><TD width="33.333333333333336%" height="30px">pre-logon group</TD><TD width="33.333333333333336%" height="30px">Accept auth cookies</TD></TR><TR><TD width="33.333333333333336%" height="30px">LoggedOn</TD><TD width="33.333333333333336%" height="30px">any group</TD><TD width="33.333333333333336%" height="30px">Generate auth cookies</TD></TR></TBODY></TABLE><P>Authentication Profile: SAML</P><P>Certificate profile: InternalCAProf</P><P>&nbsp;</P><P>As shown, I want the user to authenticate with the portal/gateway the first time utilizing SAML, a cookie should be generated, then the cookie should be accepted for pre-logon only.</P><P>&nbsp;</P><P>PAN OS 10.2.0 (Lab environment here)</P><P>&nbsp;</P><P>&nbsp;</P><P>Does anyone know if this implementation is possible?</P> Sat, 23 Apr 2022 00:24:31 GMT Garrett_Heidorn 2022-04-23T00:24:31Z Authentication Cookies Generation and Authentication https://live.paloaltonetworks.com/t5/globalprotect-discussions/authentication-cookies-generation-and-authentication/m-p/482096#M2691 <P>I am trying to a set up an implementation of pre-logon, then SAML w/ Client Certificates.</P><P>&nbsp;</P><P>Utilizing a machine certificate I can configure how I want with no issues, but using only a client (user) certificate, pre-logon doesn't work, which is expected since the certificate is not in the computer's personal store, but the user's.</P><P>&nbsp;</P><P>In order to combat this, I've attempted to set up the following:</P><P>&nbsp;</P><P><STRONG>Portal agents:</STRONG></P><P>&nbsp;</P><TABLE border="1" width="100%"><TBODY><TR><TD width="33.333333333333336%">Pre-logon</TD><TD width="33.333333333333336%">pre-logon group</TD><TD width="33.333333333333336%">Accept auth cookies</TD></TR><TR><TD width="33.333333333333336%">LoggedOn</TD><TD width="33.333333333333336%">any group</TD><TD width="33.333333333333336%">Generate auth cookies</TD></TR></TBODY></TABLE><P>Authentication Profile: SAML</P><P>Certificate profile: InternalCAProf</P><P>&nbsp;</P><P><STRONG>Gateway clients:</STRONG></P><TABLE border="1" width="100%"><TBODY><TR><TD width="33.333333333333336%" height="30px">Pre-logon</TD><TD width="33.333333333333336%" height="30px">pre-logon group</TD><TD width="33.333333333333336%" height="30px">Accept auth cookies</TD></TR><TR><TD width="33.333333333333336%" height="30px">LoggedOn</TD><TD width="33.333333333333336%" height="30px">any group</TD><TD width="33.333333333333336%" height="30px">Generate auth cookies</TD></TR></TBODY></TABLE><P>Authentication Profile: SAML</P><P>Certificate profile: InternalCAProf</P><P>&nbsp;</P><P>As shown, I want the user to authenticate with the portal/gateway the first time utilizing SAML, a cookie should be generated, then the cookie should be accepted for pre-logon only.</P><P>&nbsp;</P><P>PAN OS 10.2.0 (Lab environment here)</P><P>&nbsp;</P><P>&nbsp;</P><P>Does anyone know if this implementation is possible?</P> Sat, 23 Apr 2022 00:24:31 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/authentication-cookies-generation-and-authentication/m-p/482096#M2691 Garrett_Heidorn 2022-04-23T00:24:31Z