https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-multiple-authentication-methods-on-same-portal/m-p/1236315#M6975 <P>We currently use GlobalProtect with LDAP + machine cert authentication on our production firewalls (managed by Strata Cloud Manager).</P> <P>We’ve tested SAML auth via Azure AD on a non-production firewall using Cloud Identity Manager and it works fine. Now we’d like to test it on production without forcing it as the default profile (to avoid impacting live users).</P> <P>On the production firewall....</P> <P>I removed myself from the on prem AD group tied to the current LDAP-based auth profile.</P> <P>Added the SAML (SSO with Azure AD) method as a secondary authentication method on both the portal and the gateway.</P> <P>Despite this, when testing, I still get authenticated using the LDAP method rather than being redirected to Azure SSO</P> <P>&nbsp;</P> <P><LI-PRODUCT title="GlobalProtect" id="GlobalProtect"></LI-PRODUCT>&nbsp;</P> Wed, 20 Aug 2025 11:12:18 GMT ParisVcr 2025-08-20T11:12:18Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-multiple-authentication-methods-on-same-portal/m-p/1236315#M6975 <P>We currently use GlobalProtect with LDAP + machine cert authentication on our production firewalls (managed by Strata Cloud Manager).</P> <P>We’ve tested SAML auth via Azure AD on a non-production firewall using Cloud Identity Manager and it works fine. Now we’d like to test it on production without forcing it as the default profile (to avoid impacting live users).</P> <P>On the production firewall....</P> <P>I removed myself from the on prem AD group tied to the current LDAP-based auth profile.</P> <P>Added the SAML (SSO with Azure AD) method as a secondary authentication method on both the portal and the gateway.</P> <P>Despite this, when testing, I still get authenticated using the LDAP method rather than being redirected to Azure SSO</P> <P>&nbsp;</P> <P><LI-PRODUCT title="GlobalProtect" id="GlobalProtect"></LI-PRODUCT>&nbsp;</P> Wed, 20 Aug 2025 11:12:18 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-multiple-authentication-methods-on-same-portal/m-p/1236315#M6975 ParisVcr 2025-08-20T11:12:18Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-multiple-authentication-methods-on-same-portal/m-p/1236378#M6976 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/410578671">@ParisVcr</a>&nbsp;,</P> <P>&nbsp;</P> <P>At the moment, SAML&nbsp;cannot be triggered on the same GP portal/gateway that has<SPAN>&nbsp;Local/RADIUS/LDAP/TACACS configured first. Likewise, Local/RADIUS/LDAP/TACACS would not be triggered on a GP portal/gateway that has SAML configured at the top of the client auth.&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>For SAML to work correctly, it must be the only auth method configured for the portal/gateway (as you tested successfully in non-prod).</SPAN></P> Wed, 20 Aug 2025 21:01:25 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-multiple-authentication-methods-on-same-portal/m-p/1236378#M6976 JayGolf 2025-08-20T21:01:25Z