topic Azure SAML authentication from Prisma Access to Branch gateway in Prisma Access Discussions

Azure SAML authentication from Prisma Access to Branch gateway

User868 — Thu, 17 Aug 2023 01:12:48 GMT

I would like to set up Azure SAML on Prisma Access and a branch firewall that has its own Globalprotect portal. The Prisma access portion has been configured already and tested to be working properly with Azure. My set up is as follows:

Prisma Access GP Portal
(Authentication configured on portal and gateway is Azure SAML)

abc.domain.com

Branch GP Portal

(Authentication configured on portal and gateway is LDAP)

xyz.domains.com

In the configuration on Prisma, I already have it configured to point to the Branch gateway as one of the options in the Prisma Portal gateway selection dropdown menu. The branch portal is not used that often directly where users just use the Prisma GP portal URL and from there jump to the gateway of the branch.

The question is since I already have the MFA configured with a certificate on Prisma using the Prisma GP URL abc.domain.com, do I still need to create a separate certificate for the branch firewalls ? Does the difference in the Azure SAML configuration where Prisma uses a different URL and certificate than what is on the branch cause an issue for users jumping from Prisma portal to branch gateway. In other words, would it for example ask them to authenticate twice or the cached authentication information on Prisma portal login will be forwarded to branch gateway if it was selected.

Re: Azure SAML authentication from Prisma Access to Branch gateway

reaper — Wed, 23 Aug 2023 09:06:18 GMT

Not sure what the certificate is for you're referring to (hostname, client cert, authentication cert,..?)

if you set up your branch gateway with a tls profile containing a valid public server certificate (so the hostname can be resolved without any certificate issues), you can add the additional gateway to your prisma access configuration.

Next, you can add your gateway FQDN to the azure globalprotect enterprise application in the Single Sign-On > Basic SAML Configuration as an identifier and reply URL

once that's done, you should be able to connect to the gateway using your prisma access portal config

if you were referring to the certificate as a client certificate: the gateway dictates the authentication requirements, so if you're using a client certificate in prisma access, but don't want to on the branch gateway, you can by setting the auth properties accordingly

hope this helps

Re: Azure SAML authentication from Prisma Access to Branch gateway

User868 — Wed, 23 Aug 2023 16:25:17 GMT

That was very helpful, thank you! And in the Azure SAML configuration for the Globalprotect, besides adding the branch gateway as a new identifier as well as the branch Reply URL, do I need to also add the branch own Sign on URL as well or no need for that. The objective is basically to have any remote VPN user to be able to connect to the the branch from within the Prisma Access portal (by jumping to the gateway from dropdown menu) or just through the branch portal and still be using the same SAML authentication through Azure.

Re: Azure SAML authentication from Prisma Access to Branch gateway

reaper — Thu, 24 Aug 2023 14:10:26 GMT

the signon URL is used for the portal bit, you can only have 1 in the enterprise app and this is going to be your prisma access portal URL.

To have a similar SAML profile for the portal on your branch, you'll need a new enterprise application on azure for the other portal (which, if having prisma access neing your main portal, not necessary and you can basically remove the portal config from the branch)

dont forget to like and subscribe !

and mark as a solution and all that stuff :]