Recent SAML integration with Global Protect

Reply
L0 Member

Recent SAML integration with Global Protect

I've recently moved from using RADIUS authentication for Palo Alto and moved authentication over to SAML so I can integrate with Duo Security.  With this change, the domain info is no longer passed by SAML to Global Protect thus breaking several policies that I had that we applied based on their AD credentials.  Is there any way to fix this so I can still use rules that refer to the AD credentials or do I have to discard anything that requires the AD lookups?  Any guidance is greatly appreciated.

L2 Linker

Re: Recent SAML integration with Global Protect

Hello,

 

Thanks for your question! It's an excellent question and is something that I've heard many times before from people moving to SAML-based authentication.

 

When authenticating against a SAML Identity Provider, whether it's Duo Security, ADFS, or other, the Identity Provider (IdP) generates a SAML assertion upon successful authentication, sends it to the user's browser, redirects the browser to the Service Provider (SP) - in your case the SP is Palo Alto Networks GlobalProtect, then the browser submits the SAML assertion. At that point, the user is authenticated and permitted access based on the policy configured in GlobalProtect.

 

Here's the catch! The Service Provider trusts information within the SAML assertion provided it comes from a trusted Identity Provider and the assertion is signed appropriately and has not expired. The Service Provider parses the contents of the assertion and looks for the attribute/value pairs contained within, at which point it can use them in the authentication process.

 

If the IdP doesn't send the attribute/value pairs you want to use in policy, then it's not possible to use them. I suspect this is the case you are running into.

 

My recommendation would be to review the Duo Security documentation and add the attribute/value pair details to the application within the Duo Security admin portal. If you're looking for the AD domain name, there should be an option to insert that info in the assertion. Likewise, if you're looking for AD group membership, there's an option to insert that into the SAML assertion.

 

Once you have the desired attributes in the assertion, you can configure authentication policy within GlobalProtect to parse the assertion and look for the desired values, then apply them to the policy as required.

 

I hope that's helpful! Please let me know if this solves your issue or if you need more assistance.

 

Jeff Hochberg | Sr. Systems Engineer - Technical Business Development

Palo Alto Networks | Atlanta, GA |  USA

 

The content of this message is the proprietary and confidential property of Palo Alto Networks and should be treated as such. If you are not the intended recipient and have received this message in error, please delete this message from your computer system and notify me immediately by reply e-mail. Any unauthorized use or distribution of the content of this message is prohibited.

Highlighted
L2 Linker

Re: Recent SAML integration with Global Protect

Hello again,

 

One thing I forgot to mention...

 

It is common for customers using SAML to layer Identity Providers. In many cases, I've seen customers leverage both Duo and Active Directory Federation Services.

 

You can read more about this on the Duo Security site - scroll down to the bottom of the following page:

 

Duo Protection for Palo Alto Networks SSO

 

Jeff Hochberg | Sr. Systems Engineer - Technical Business Development

Palo Alto Networks | Atlanta, GA |  USA

 

The content of this message is the proprietary and confidential property of Palo Alto Networks and should be treated as such. If you are not the intended recipient and have received this message in error, please delete this message from your computer system and notify me immediately by reply e-mail. Any unauthorized use or distribution of the content of this message is prohibited.

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!