topic Re: Global Protect with AzureAD authentication in GlobalProtect Discussions

Global Protect with AzureAD authentication

jeromecarrier — Fri, 19 Jan 2024 09:00:59 GMT

Hello

Currently, we have ou GP configured to use our local Active Directory for authentication.

Is easy to configure GP to use AzureAD authentication and to use Microsoft MFA ?

Re: Global Protect with AzureAD authentication

reaper — Fri, 19 Jan 2024 10:13:33 GMT

yes!

in azure you can create an enterprise application, look for "palo alto networks - globalprotect"

go through the steps to enable SSO

the only caveat is that you need to craft your identifier and reply url to contain :443

Basic SAML Configuration

Identifier (Entity ID)

https://mydomain:443/SAML20/SP

Reply URL (Assertion Consumer Service URL)

https://mydomain:443/SAML20/SP/ACS

Sign on URL

https://mydomain

export the federation metadata xml and import that into the palo as a SAML server profile

Re: Global Protect with AzureAD authentication

jeromecarrier — Fri, 19 Jan 2024 10:18:29 GMT

Thank you.

How I can configure GP to force user to enter AzureAD crendentials and not automatically authenticated on GP when I start the GP application ?

Re: Global Protect with AzureAD authentication

jeromecarrier — Fri, 19 Jan 2024 12:54:57 GMT

I configured the SAML and it's seem to be working but, when I used internal LDAP to authenticate on GP client, I need always enter my credentials but when I switch to the SAML auth, when I start the GP client, I'm directly connected without to enter credentials...

Re: Global Protect with AzureAD authentication

alowther_chatham — Mon, 29 Jan 2024 23:20:40 GMT

I have dug into this before and my conclusion is that you can not force reauthentication when using AzureAD SAML with GlobalProtect.

If the user has already signed in to AzureAD then Single-Sign-On principles will take effect. Authentication will be completed using a cookie in the browser in a simple case. If it is a Windows device that is AzureAD Joined or Hybrid AzureAD Joined then the Primary Refresh Token (PRT) will be used. There are more potential methods depending on OS and settings.

You might be able to use Sign-In-Frequency (SIF) in AzureAD Conditional Access, but if the device is joined to AzureAD then it probably won't work how you expect.

AzureAD does support a parameter called ForceAuthN which states

> If true, it means that the user will be forced to re-authenticate, even if they have a valid session with Microsoft Entra ID

However, I do not see any way to tell PaloAlto to use this parameter. I've been considering making a feature request to PaloAlto to allow this parameter to be set. I've found threads where people use it with Checkpoint and Meraki VPNs.

I have some saved links that may help you

https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/why-are-my-users-not-prompted-for-mfa-as-expected/ba-p/1449032

https://www.reddit.com/r/paloaltonetworks/comments/11lhhe5/global_protect_samlsso_doesnt_force_users_to/

https://www.reddit.com/r/AZURE/comments/xrupux/conditional_access_require_mfa_every_single_time/

https://learn.microsoft.com/en-us/entra/identity-platform/single-sign-on-saml-protocol#authnrequest

https://community.checkpoint.com/t5/Remote-Access-VPN/Azure-SAML-Auth-forceAuthn-true/td-p/181467

https://community.meraki.com/t5/Security-SD-WAN/AnyConnect-w-SAML-amp-Azure-AD-Authentication-not-prompted-for/m-p/154548

Re: Global Protect with AzureAD authentication

alowther_chatham — Mon, 11 Mar 2024 17:29:40 GMT

As an update to my previous reply, a couple weeks ago Microsoft did announce support for additional capabilities with Conditional Access. This includes

> now you can require reauthentication for any resource protected by Conditional Access

Using this Conditional Access capability should satisfy the requirement "I need always enter my credentials".

https://techcommunity.microsoft.com/t5/microsoft-entra-blog/prompt-users-for-reauthentication-on-sensitive-apps-and-high/ba-p/4062703

Re: Global Protect with AzureAD authentication

lnelso06 — Wed, 27 Aug 2025 03:11:06 GMT

We ran into this same issue with GlobalProtect VPN not supporting the ability to configure ForceAuthn=true for SAML requests in PAN-OS. After working with Palo support, they confirmed that there is no documented workaround at the PAN-OS firewall level for this issue and is a known limitation for environments using Azure SAML SSO with GlobalProtect VPN on devices that are joined to various Azure Entra ID domains. If you're impacted by this or would like to see support for the ability to configure ForceAuthn=true, could you kindly vote for NSFR-I-25544 through your Sales Engineer or by submitting a support ticket?