topic Re: Using SAML with Global Protect Client and MS Azure in General Topics

Using SAML with Global Protect Client and MS Azure

MP18 — Tue, 30 Oct 2018 15:49:20 GMT

We have configured global protect client 4.1.6.

We want to use MS Azure for MFA can we do this by using SAML?

Re: Using SAML with Global Protect Client and MS Azure

Remo — Tue, 30 Oct 2018 18:16:38 GMT

In general yes it should be possible, but you did not share a lot of information to answer the question ...

Do you already have ADFS servers? Do you use Azure MFA there already? Do you use Azure MFA already for another service in your company or do you plan to implement it completely new?

Re: Using SAML with Global Protect Client and MS Azure

MP18 — Tue, 30 Oct 2018 18:56:32 GMT

No it brand new setup.

We have GP client running version 4.1.6

No we do not use Azure MFA.

What are ADFS?

How they are linked to SAML?

Re: Using SAML with Global Protect Client and MS Azure

Remo — Tue, 30 Oct 2018 22:23:36 GMT

Hi @MP18

Does your company in this case already uses an Azure AD and/or Office 365 or other Microsoft Cloud Services? Or what is the exact reason to use Azure MFA if there are no prerequisites?

ADFS technically is a SAML Identity Provider (I assumed you use this one as it is probably the only SAML IdP with an Azure MFA Integration). Another way you can go is with a Microsoft NPS RADIUS Server with the Azure MFA Plugin.

Re: Using SAML with Global Protect Client and MS Azure

MP18 — Tue, 30 Oct 2018 22:51:04 GMT

Yes we have office 365 in cloud and also AD but not ADFS

Re: Using SAML with Global Protect Client and MS Azure

Remo — Tue, 30 Oct 2018 23:47:24 GMT

Is it possible for you that you connect other cloudservices (salesforce, dropbox business, ...) with SAML (with the existing things that you already have with your microsoft subscriptions)? If yes, then I you should be able to configure GP the same way as other SAML cloud services ... if not, you probably need ADFS ...

Re: Using SAML with Global Protect Client and MS Azure

Remo — Tue, 30 Oct 2018 23:48:54 GMT

... or A Microsoft RADIUS server as an ADFS server is the more complex way I think ...

Re: Using SAML with Global Protect Client and MS Azure

MP18 — Wed, 31 Oct 2018 03:10:50 GMT

Yes earlier today i exported the SAML xml file in PA.

Then i try to connect to the Client everytime i see the error message in system logs of PA

'SAML SSO authentication failed for user \'\'. Reason: SAML web single-sign-on failed. reply message \'Reason: SAML web single-sign-on failed.\'' )

Re: Using SAML with Global Protect Client and MS Azure

MP18 — Wed, 31 Oct 2018 03:19:37 GMT

Yes earlier today i exported the SAML xml file in PA.

Then i try to connect to the Client everytime i see the error message in system logs of PA

SAML SSO authentication failed for user Reason: SAML web single-sign-on failed. reply message \'Reason: SAML web single-sign-on failed.

Re: Using SAML with Global Protect Client and MS Azure

Remo — Wed, 31 Oct 2018 10:34:21 GMT

Did you follow the help documents from paloalto and microsoft (https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-single-sign-on-non-gallery-applications) to configure this?

This error message sounds very generic. When did it show up?

Re: Using SAML with Global Protect Client and MS Azure

MP18 — Wed, 31 Oct 2018 13:48:37 GMT

I did not do the Azure part.

Which documents of PA you refer to?

We get this error message after

saml-client-redirect

saml-signature validated

saml out of band massage

Re: Using SAML with Global Protect Client and MS Azure

MP18 — Wed, 31 Oct 2018 13:55:49 GMT

Re: Using SAML with Global Protect Client and MS Azure

Remo — Wed, 31 Oct 2018 15:38:26 GMT

@MP18 wrote:
I did not do the Azure part.

Without the configuration on azure side you will always get errors when you try to log in.

@MP18 wrote:
Which documents of PA you refer to?

Re: Using SAML with Global Protect Client and MS Azure

MP18 — Wed, 31 Oct 2018 17:43:20 GMT

when i check the cert i get this error

SAML -> method -> saml-idp is invalid. Validate Identity Provider Certificate is checked but no Certificate Profile is provided
authentication-profile -> SAML -> method is invalid
Commit failed

Re: Using SAML with Global Protect Client and MS Azure

Remo — Wed, 31 Oct 2018 20:18:54 GMT

... then uncheck the checkbox or create a cert profile with the root cert of the server certificate that microsoft uses 😉

Re: Using SAML with Global Protect Client and MS Azure

MP18 — Wed, 31 Oct 2018 23:12:40 GMT

creating a cookie override on portal and accepting on gateway make it worked

Re: Using SAML with Global Protect Client and MS Azure

Remo — Wed, 31 Oct 2018 23:39:16 GMT

@MP18 wrote:
creating a cookie override on portal and accepting on gateway make it worked

Isn't this something completely different than what you were asking in your initial post?

@MP18 wrote:
We want to use MS Azure for MFA can we do this by using SAML?

Re: Using SAML with Global Protect Client and MS Azure

MP18 — Thu, 01 Nov 2018 00:46:41 GMT

I agree i should have open separte discussion for this but things happened very quickly at my end.

My apologies for that.

Re: Using SAML with Global Protect Client and MS Azure

LarsAtConsigas — Tue, 30 Jun 2020 07:19:06 GMT

We posted a training video explaining how to securely set up SAML authentication end-to-end against Office 365 Azure AD. The critical element which explains how to set up certificate validation of the SAML Identity Provider to address the SAML Bypass Vulnerability (CVE-2020-2021) starts at 29:35. It shows how to enable "Validate Identity Provider Certificate" and fix the commit error "Validate Identity Provider Certificate is checked but no Certificate Profile is provided authentication-profile"

Re: Using SAML with Global Protect Client and MS Azure

JohnQuile — Wed, 01 Jul 2020 03:11:28 GMT

Hi @LarsAtConsigas ,

What about for Okta if we don't use Azure AD for this?

We use GlobalProtect and VPN.

Okta's guide here says to not check the Validate Identity Provider certificate:

https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-Palo-Alto-Networks-GlobalProtect.html