https://live.paloaltonetworks.com/t5/general-topics/globalprotect-authentication-with-azure-saml-question-for/m-p/575341#M115589 <P>Hello,</P> <P>&nbsp;</P> <P>Yes you can use the same Azure app and meta data for multiple GlobalProtect portals and gateways as thats what we do. On the Azure app you would need to add the additional urls under the SSO settings.&nbsp;</P> Thu, 01 Feb 2024 14:57:48 GMT Claw4609 2024-02-01T14:57:48Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-authentication-with-azure-saml-question-for/m-p/575277#M115573 <P>Hi All,</P> <P>maybe more a question for Azure, will do more research but thought in the meantime id check with the livecommunity also.</P> <P>&nbsp;</P> <P>so trying to find out if this is possible.. not that familiar with Azure side of things.</P> <P>we have 1 Panorama that manages a number of NGFWs all in their own device groups/template stacks etc.</P> <P>&nbsp;</P> <P>FW_A has a gp portal called fwaportal.domain.com&nbsp;&nbsp;</P> <P>FW_D also has it's own portal called fwdportal.domain.com</P> <P>&nbsp;</P> <P>so the Azure team has setup the palo alto globalprotect app and used the fqdn for 'fwaportal.domain.com' and did an export and then import into the FW_A template all good as per the doc below</P> <P>&nbsp;</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008U48CAE" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008U48CAE</A></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>now.. if we want FW_D to also start using saml - how can this be done?</P> <P>can we ingest fwdportal.domain.com into the same saml config or should/can we have multiple SAML configs on Azure?</P> <P>&nbsp;</P> <P>thanks in adv</P> <P>&nbsp;</P> Thu, 01 Feb 2024 09:53:53 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-authentication-with-azure-saml-question-for/m-p/575277#M115573 PA_nts 2024-02-01T09:53:53Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-authentication-with-azure-saml-question-for/m-p/575341#M115589 <P>Hello,</P> <P>&nbsp;</P> <P>Yes you can use the same Azure app and meta data for multiple GlobalProtect portals and gateways as thats what we do. On the Azure app you would need to add the additional urls under the SSO settings.&nbsp;</P> Thu, 01 Feb 2024 14:57:48 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-authentication-with-azure-saml-question-for/m-p/575341#M115589 Claw4609 2024-02-01T14:57:48Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-authentication-with-azure-saml-question-for/m-p/575474#M115598 <P>Thanks Claw..</P> <P>one question on the sso settings.. so we can additional portal URLs under the 'identifier' and 'reply URL'. however under the 'Sign On URL', it does not have the option to add additional URLs and is currently set to 'fwaportal.domain.com '</P> <P>can it be left as is or will this have any impact for users connecting to the second portal - fwdportal.domain.com&nbsp;</P> <P>or do we just leave this as blank?</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>thanks</P> <P>&nbsp;</P> Fri, 02 Feb 2024 07:48:41 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-authentication-with-azure-saml-question-for/m-p/575474#M115598 PA_nts 2024-02-02T07:48:41Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-authentication-with-azure-saml-question-for/m-p/575506#M115603 <P>Yeah you can only add one item under the sign-on url, and you cant leave it blank as its a required field. Gonna be honest not exactly sure what that piece is needed for, it may be if you initiate a connection from Azure to your GP portals webpage. We've brought down our main potal/gateway (the one we have listed in the sign on url) and been able to connect to our other ones via the same SAML Azure app.&nbsp;</P> Fri, 02 Feb 2024 13:28:26 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-authentication-with-azure-saml-question-for/m-p/575506#M115603 Claw4609 2024-02-02T13:28:26Z