Global Protect SAML Okta groups integration

sirons — Tue, 12 Jul 2022 17:28:54 GMT

I'm currently working on setting up our 2 PAs for VPN.

I'm trying to get the configuration set up to do something similar to what we had on Cisco but with PA and SAML instead of LDAP.

I've followed this doc https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-Palo-Alto-Networks-GlobalProtect.html but in section 8 it doesn't exactly specify how to do that. I have 2 groups called vpn_level_1 and vpn_level_2.

These groups would differentiate between which Client IP subnet as they'd reach different resources in the on prem network. Example 10.0.1.0/24 would be for vpn_level_1 and 10.0.2.0/24 would be for vpn_level_2.

Our Okta instance sync's our AD groups and I'm trying not to do LDAP with this if at all possible. I also couldn't find a feature in the Gateway > Agent > Client Settings where IP Addressing would be on a specific group condition.

I couldn't find this specific situation in the forums so any help would be appreciated.

Re: Global Protect SAML Okta groups integration

sirons — Wed, 13 Jul 2022 18:17:34 GMT

Nevermind figured it out. Looks like I needed LDAP.

topic Re: Global Protect SAML Okta groups integration in GlobalProtect Discussions

Global Protect SAML Okta groups integration

Re: Global Protect SAML Okta groups integration