topic Re: Setting Up SSO In GlobalProtect Clientless VPN Portal App in GlobalProtect Discussions

Setting Up SSO In GlobalProtect Clientless VPN Portal App

Jesse_K — Tue, 07 Apr 2020 16:29:23 GMT

Hello.

I have a GP portal setup and working with a published app for VMware Horizon. Authentication to the portal is setup with Duo MFA and works as designed. The issue is that I would like to reduce the amount of authentications after the user logs in to the portal. When a user clicks on the the Horizon client HTML5 link, it opens the app page and presents another login. Our users must enter their username and password again to use the application. Is there a way to pass credentials from the Portal to the Horizon app without asking for re-authentication?

Re: Setting Up SSO In GlobalProtect Clientless VPN Portal App

vathreya — Tue, 07 Apr 2020 16:35:08 GMT

Hi Jesse,

Some clarification here: Have you setup the clientless VPN portal and VMWare Horizon as two different Service Provider Applications on the same IdP? Which means users have to log into the clientless vpn portal using sso creds once and again to VMware horizon app. We currently do not support SSO functionality.

Regards,

Varun

Re: Setting Up SSO In GlobalProtect Clientless VPN Portal App

Jesse_K — Tue, 07 Apr 2020 16:41:11 GMT

Hi Varun,

Sorry I a very new to SAML and SSO with these two systems. The GP Portal is setup to authenticate using a RADIUS profile with Duo MFA that connects to AD. The Horizon system is setup for AD authentication.

Does this info help?

Re: Setting Up SSO In GlobalProtect Clientless VPN Portal App

vathreya — Tue, 07 Apr 2020 18:43:42 GMT

HI Jesse,

No, we do not support SSO in that case.

Re: Setting Up SSO In GlobalProtect Clientless VPN Portal App

glitch — Fri, 17 Apr 2020 12:31:40 GMT

I have the same question.

At the GP Clientless portal we use LDAP authendication

At the web application we use the same LDAP authendication

It it possible somehow to forward the credentials used on the GP Portal to the web application as well?

Re: Setting Up SSO In GlobalProtect Clientless VPN Portal App

vathreya — Fri, 17 Apr 2020 16:04:43 GMT

That's not currently supported.

Re: Setting Up SSO In GlobalProtect Clientless VPN Portal App

Jafar_Hussain — Wed, 20 Jan 2021 18:56:38 GMT

@vathreya

I have the same question.

i have some applications configure in clientless vpn and the GP portal is accessible via AD authentication. how can we use SSO with clientless as users use AD authentication to access those applications?

Re: Setting Up SSO In GlobalProtect Clientless VPN Portal App

NathanielM — Thu, 11 Feb 2021 11:21:04 GMT

Shame there's no solution to this. I want users to log into clientless vpn once (SAML auth) and then SSO take over so published apps don't also request an authentication page.

Re: Setting Up SSO In GlobalProtect Clientless VPN Portal App

NathanielM — Thu, 11 Feb 2021 11:57:47 GMT

Ok it is possible:

https://knowledgebase.paloaltonetworks.com/kcSArticleDetail?id=kA10g000000Cm2o

Re: Setting Up SSO In GlobalProtect Clientless VPN Portal App

aabraham — Tue, 06 Jul 2021 22:02:35 GMT

I do not think this link is the answer to SSO features with Clientless GlobalProtect. This only shows how to setup Okta saml authentication for GlobalProtect clientless vpn and how to create a bookmark that will allow a workaround for IDP initiated workflow. What this thread is talking about it allowing you to use SSO between different SP(service provider) applications configured in the same IDP. I have tried this with both Okta and Keycloak. I think the reason this does not work is because the firewall does not receive the session cookies that tell the IDP that it is the same session as the application trying to SSO to. Unfortunately I am not certain why this is a problem but I know that right now it does not work.

Re: Setting Up SSO In GlobalProtect Clientless VPN Portal App

Abdulkhader — Mon, 19 Aug 2024 12:44:59 GMT

did you got any solution as workaround?