topic Local and SAML users authentication on the single GP Portal and Gateway in GlobalProtect Discussions

Local and SAML users authentication on the single GP Portal and Gateway

Dmytro-Ostapenko — Wed, 19 Feb 2025 16:18:52 GMT

I have a task to use 2 authentication methods - local and SAML on the single GP Portal and Gateway. First check local users and if username not found then check SAML users. As I know authentication sequence isn't supported for SAML. Separating users by OS type isn't way for us because different users (SAML and local) can use the same OS type. Are there any ways to do this task on single firewall?

Thanks.

Re: Local and SAML users authentication on the single GP Portal and Gateway

JayGolf — Wed, 19 Feb 2025 22:22:17 GMT

Hi @Dmytro-Ostapenko ,

The only way I have seen this done is creating a second portal/gw. Youd have one set w/ local auth and the other with SAML. What are the requirements behind the 2 separate auths? One for admins and another for regular users?

Re: Local and SAML users authentication on the single GP Portal and Gateway

Dmytro-Ostapenko — Thu, 20 Feb 2025 16:09:26 GMT

Yes, one auth SAML Entra +2FA for admins and local auth for other users and services. Do we need second ISP link and public IP address in separate virtual router for a second portal/gw or there is another way to deploy it?

Re: Local and SAML users authentication on the single GP Portal and Gateway

Raido_Rattameister — Thu, 20 Feb 2025 16:19:03 GMT

You don't need second ISP link if your current connection has more than 1 public IP.

Assuming that you have /28 subnet and IP configured on WAN interface is 5.5.5.1/28 then add second IP 5.5.5.2/32 on the same interface and then you can use 5.5.5.2/32 for second GlobalProtect Portal/Gateway.