https://live.paloaltonetworks.com/t5/next-generation-firewall/global-protect-integration-with-azure-saml-w-multiple-gateways/m-p/593197#M3491 <P>I'm trying to setup an integration with 2 firewalls at different locations.&nbsp; The portal and 1 gateway reside on 1 of the firewalls, and i've used this:</P> <P>&nbsp;</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008U48CAE" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008U48CAE</A></P> <P>&nbsp;</P> <P>to get that going successfully.&nbsp; The 2nd firewall, which has a certificate w/ a different FQDN, doesn't allow users to connect.&nbsp; My thinking was I needed to create a 2nd enterprise application using the 2nd FQDN or is that not necessarily?</P> Fri, 26 Jul 2024 19:32:47 GMT DJ_1924 2024-07-26T19:32:47Z https://live.paloaltonetworks.com/t5/next-generation-firewall/global-protect-integration-with-azure-saml-w-multiple-gateways/m-p/593197#M3491 <P>I'm trying to setup an integration with 2 firewalls at different locations.&nbsp; The portal and 1 gateway reside on 1 of the firewalls, and i've used this:</P> <P>&nbsp;</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008U48CAE" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008U48CAE</A></P> <P>&nbsp;</P> <P>to get that going successfully.&nbsp; The 2nd firewall, which has a certificate w/ a different FQDN, doesn't allow users to connect.&nbsp; My thinking was I needed to create a 2nd enterprise application using the 2nd FQDN or is that not necessarily?</P> Fri, 26 Jul 2024 19:32:47 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/global-protect-integration-with-azure-saml-w-multiple-gateways/m-p/593197#M3491 DJ_1924 2024-07-26T19:32:47Z https://live.paloaltonetworks.com/t5/next-generation-firewall/global-protect-integration-with-azure-saml-w-multiple-gateways/m-p/593899#M3525 <P>Yeah sounds like the second enterprise application is exactly what you need since you are going to have a different SAML configuration for the other FQDN</P> Fri, 02 Aug 2024 18:39:09 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/global-protect-integration-with-azure-saml-w-multiple-gateways/m-p/593899#M3525 TeemuH 2024-08-02T18:39:09Z https://live.paloaltonetworks.com/t5/next-generation-firewall/global-protect-integration-with-azure-saml-w-multiple-gateways/m-p/593901#M3527 <P>Hello,</P> <P>&nbsp;</P> <P>What error are you getting when users are trying to connect? You are able to use the same SAML Azure App for multiple GlobalProtect gateways, you just need to add the additional gateways under the Basic SAML configuration urls settings in the Azure app. And have the SAML metadata imported on the gateway firewall.&nbsp;</P> Fri, 02 Aug 2024 18:59:57 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/global-protect-integration-with-azure-saml-w-multiple-gateways/m-p/593901#M3527 Claw4609 2024-08-02T18:59:57Z https://live.paloaltonetworks.com/t5/next-generation-firewall/global-protect-integration-with-azure-saml-w-multiple-gateways/m-p/594733#M3583 <P>Like Claw is saying you just need to add your additonal gateways in your Azure Entra Global Protec single sign on settings.</P> <DIV class="azc-form-labelcontainer azc-text-label azc-text-sublabel-neighbor"><LABEL id="form-label-id-31" class="azc-form-label" for="form-label-id-31-for" data-bind="untrustedContent: label, attr: { title: 1 === ko.unwrap(overflowMode) &amp;&amp; 'string' === typeof ko.unwrap(label) &amp;&amp; ko.unwrap(label) }">Identifier (Entity ID)</LABEL> <DIV class="azc-required-balloon fxc-base azc-control azc-dockedballoon-requiredwidget azc-dockedballoon-required" data-control="true"> <DIV class="azc-dockedballoon-anchor" aria-hidden="true"> <DIV class="azc-required-anchor">And the&nbsp; <DIV class="azc-form-labelcontainer azc-text-label azc-text-sublabel-neighbor"><LABEL id="form-label-id-34" class="azc-form-label" for="form-label-id-34-for" data-bind="untrustedContent: label, attr: { title: 1 === ko.unwrap(overflowMode) &amp;&amp; 'string' === typeof ko.unwrap(label) &amp;&amp; ko.unwrap(label) }">Reply URL (Assertion Consumer Service URL)</LABEL> <DIV class="azc-required-balloon fxc-base azc-control azc-dockedballoon-requiredwidget azc-dockedballoon-required" data-control="true"> <DIV class="azc-dockedballoon-anchor" aria-hidden="true"> <DIV class="azc-required-anchor">&nbsp;</DIV> </DIV> </DIV> <DIV id="form-label-id-34-balloon" class="fxc-base azc-control azc-dockedballoon azc-dockedballoon-info" data-control="true" aria-owns="azc-dockedballoon-balloon-azc-dockedballoon-balloon0-025"> <DIV id="form-label-id-34-anchor" class="azc-dockedballoon-anchor" tabindex="-1" role="button" data-bind="attr: { &quot;aria-hidden&quot; : $ctl._isCheckPopulated() || $ctl._isRequired(), &quot;aria-label&quot;: data._ariaLabel(), &quot;aria-expanded&quot;: data.balloonVisible().toString(), &quot;aria-controls&quot;: data.balloonId }" aria-label="Reply URL (Assertion Consumer Service URL)" aria-expanded="false" aria-controls="azc-dockedballoon-balloon-azc-dockedballoon-balloon0-025" aria-describedby="0070f18c-90a5-4190-938c-357decde71f5" aria-labelledby="form-label-id-34-anchor"> <DIV class="fxs-portal-svg-secondary azc-fill-hovered-heavy azc-dockedballoon-anchor-target" data-bind="css: { &quot;azc-fill-heavy&quot;: data.balloonVisible() }">Should contain you gateway url's.</DIV> <DIV class="fxs-portal-svg-secondary azc-fill-hovered-heavy azc-dockedballoon-anchor-target" data-bind="css: { &quot;azc-fill-heavy&quot;: data.balloonVisible() }">Example config for prisma access mobile user gateways can be found on : (your's is similar but then for your own gateways)</DIV> <DIV class="fxs-portal-svg-secondary azc-fill-hovered-heavy azc-dockedballoon-anchor-target" data-bind="css: { &quot;azc-fill-heavy&quot;: data.balloonVisible() }"><A href="https://docs.paloaltonetworks.com/prisma-access/integration/microsoft-integrations-with-prisma-access/azure-ad-saml-authentication-for-mobile-user-deployments/configure-mobile-users-without-cloud-identity-engine" target="_blank">Configure Mobile Users without Cloud Identity Engine (paloaltonetworks.com).</A></DIV> <DIV class="fxs-portal-svg-secondary azc-fill-hovered-heavy azc-dockedballoon-anchor-target" data-bind="css: { &quot;azc-fill-heavy&quot;: data.balloonVisible() }">&nbsp;</DIV> <DIV class="fxs-portal-svg-secondary azc-fill-hovered-heavy azc-dockedballoon-anchor-target" data-bind="css: { &quot;azc-fill-heavy&quot;: data.balloonVisible() }">&nbsp;</DIV> </DIV> </DIV> </DIV> <DIV class="azc-formElementSubLabelContainer">&nbsp;</DIV> </DIV> </DIV> </DIV> <DIV id="form-label-id-31-balloon" class="fxc-base azc-control azc-dockedballoon azc-dockedballoon-info" data-control="true" aria-owns="azc-dockedballoon-balloon-azc-dockedballoon-balloon0-021"> <DIV id="form-label-id-31-anchor" class="azc-dockedballoon-anchor" tabindex="-1" role="button" data-bind="attr: { &quot;aria-hidden&quot; : $ctl._isCheckPopulated() || $ctl._isRequired(), &quot;aria-label&quot;: data._ariaLabel(), &quot;aria-expanded&quot;: data.balloonVisible().toString(), &quot;aria-controls&quot;: data.balloonId }" aria-label="Identifier (Entity ID)" aria-expanded="false" aria-controls="azc-dockedballoon-balloon-azc-dockedballoon-balloon0-021" aria-describedby="0070f18c-90a5-4190-938c-357decde71f1" aria-labelledby="form-label-id-31-anchor"> <DIV class="fxs-portal-svg-secondary azc-fill-hovered-heavy azc-dockedballoon-anchor-target" data-bind="css: { &quot;azc-fill-heavy&quot;: data.balloonVisible() }">&nbsp;</DIV> </DIV> </DIV> </DIV> <DIV class="azc-formElementSubLabelContainer">&nbsp;</DIV> Tue, 13 Aug 2024 12:56:11 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/global-protect-integration-with-azure-saml-w-multiple-gateways/m-p/594733#M3583 zGomez 2024-08-13T12:56:11Z