Separation of profiles for authorization and authentication in GlobalProtect

nickalecks — Sun, 24 Jul 2022 09:31:09 GMT

Hello friends! Help me please.
I need advice on authentication and authorization when connecting to a GP.
Is it possible to separate these roles?

For example: authenticate using SAML.
And then check this user for belonging to groups in LDAP, and depending on these groups, send him to the gateway / send him settings / apply policies.

In general, authenticate via SAML, and authorize via LDAP.

There were no such cases in the documentation.

Re: Separation of profiles for authorization and authentication in GlobalProtect

aleksandar.astardzhiev — Mon, 08 Aug 2022 12:43:39 GMT

Hi @nickalecks ,

Yes, that is actually how GlobalProtect really works.

- For both GP portal and gateway you first authenticate the user, which is defined under Authentication Tab

Here you specify what Authentication profile (authentication method) should GP apply when users are trying to connect. Here you can have different authentication methods based on client OS.

- Once the user is authenticated you can use the Group Mapping (which is retrieved over LDAP) to apply different portal or gateway configuration. This is done under Agent tab (again for both portal and gateway)

Here you can specify user group that FW is retrieving from the configured Group Mapping and have different configuration profiles based on user/user group and/or client OS.

topic Re: Separation of profiles for authorization and authentication in GlobalProtect in GlobalProtect Discussions

Separation of profiles for authorization and authentication in GlobalProtect

Re: Separation of profiles for authorization and authentication in GlobalProtect