https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-config-from-outside-organization/m-p/596332#M5749 <P>We are currently using Global Protect with the Portal and Gateway on the same firewall and interface, using SAML authentication through Okta with forced MFA.&nbsp; We have a requirement to allow an outside contractor to connect to our VPN for access to a very specific resource.&nbsp; Their authentication method is going to be unique and likely not use SAML....probably LDAP + CAC card.&nbsp; What is the best way to achieve this?&nbsp; My first thought was to create a secondary authentication profile on the portal, then at the gateway assign these users a unique IP range which I can control.&nbsp; That doesn't seem like a great solution, as the first authentication profile brings up the embedded browser to authenticate to Okta.&nbsp; Do I create second portal and gateway using a loopback interface on the same firewall and direct them there?&nbsp; Any suggestions would be appreciated.&nbsp;</P> Thu, 29 Aug 2024 18:06:34 GMT DEBARJD 2024-08-29T18:06:34Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-config-from-outside-organization/m-p/596332#M5749 <P>We are currently using Global Protect with the Portal and Gateway on the same firewall and interface, using SAML authentication through Okta with forced MFA.&nbsp; We have a requirement to allow an outside contractor to connect to our VPN for access to a very specific resource.&nbsp; Their authentication method is going to be unique and likely not use SAML....probably LDAP + CAC card.&nbsp; What is the best way to achieve this?&nbsp; My first thought was to create a secondary authentication profile on the portal, then at the gateway assign these users a unique IP range which I can control.&nbsp; That doesn't seem like a great solution, as the first authentication profile brings up the embedded browser to authenticate to Okta.&nbsp; Do I create second portal and gateway using a loopback interface on the same firewall and direct them there?&nbsp; Any suggestions would be appreciated.&nbsp;</P> Thu, 29 Aug 2024 18:06:34 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-config-from-outside-organization/m-p/596332#M5749 DEBARJD 2024-08-29T18:06:34Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-config-from-outside-organization/m-p/596641#M5765 <P>Hello,</P> <P>&nbsp;</P> <P>If you use SAML auth your can't use another authentication method on the same portal/gateway. Why not just set them up with a vendor/guest account in your Okta and have them log in with that and your MFA? Whats the need for then to authenticate against a different source? Does the Vendor want you to have your VPN authenticate against their authentication system?&nbsp;</P> Tue, 03 Sep 2024 18:34:54 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-config-from-outside-organization/m-p/596641#M5765 Claw4609 2024-09-03T18:34:54Z