topic Re: GlobalProtect Authentication SAML plus certificate (backup mode) in General Topics

GlobalProtect Authentication SAML plus certificate (backup mode)

BigPalo — Mon, 14 Apr 2025 11:27:56 GMT

I would like to know if it is possible to configure SAML to authenticate and in case something in the SAML part is not working, certificate authentication is used. This is for GP authentication.

So SAML + certificate auth (backup option).

I understand that i will need a authprofile with SAML auth. But where can i choose the backup auth by certificate?

Re: GlobalProtect Authentication SAML plus certificate (backup mode)

Raido_Rattameister — Mon, 14 Apr 2025 12:43:30 GMT

I am not aware of straight forward way to achieve this.

Only way to have backup auth would be to use auth sequence but you can't use SAML with auth sequence.

With DUO 2FA you could set it as LDAP proxy in between Palo and AD.

This would allow to use auth sequence and use secondary auth profile if first is not accessible.

Re: GlobalProtect Authentication SAML plus certificate (backup mode)

BigPalo — Mon, 14 Apr 2025 13:04:14 GMT

So Can i create a auth sequence 1) SAML 2) LDAP (just in case SAML fails) ??

Because if i have only SAML and anything in SAML part goes down, i would have outage. RIght?

Re: GlobalProtect Authentication SAML plus certificate (backup mode)

Raido_Rattameister — Mon, 14 Apr 2025 13:11:16 GMT

No SAML and auth sequence are not compatible.

If you use SAML you can't use auth sequence.

If you reconfigure your 2FA to use LDAP instead of SAML then you can accomplish redundancy.

Re: GlobalProtect Authentication SAML plus certificate (backup mode)

BigPalo — Mon, 14 Apr 2025 13:42:02 GMT

So if we use SAML (EntraID) for 2FA and we dont have any backup authentication.what would it be if anything in EntraID is down? what is recommended in this case?