Hi all
I need help to configure ADFS SAML with global-protect.
i have successfully imported the metadata.xml from adfs into palo.
But now i can't export the metadata from paloalto.
Whats the correct identifiers and endpoints urls for global-contect clientless? I have no idea, what i must configure in adfs.
Can anyone help?
I use panos 8.0
regards
Benjamin
After a lot of trying I'm at the point that I can login via SAML to global protect. I'm using three rules in ADFS configuration:
1. Rule:
c1:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
&& c2:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant"]
=> add(store = "_OpaqueIdStore", types = ("http://mycompany/internal/sessionid"), query = "{0};{1};{2};{3};{4}", param = "useEntropy", param = c1.Value, param = c1.OriginalIssuer, param = "", param = c2.Value);2. Rule:
3. Rule:
I use sAMAccountName instead of username in my Authentication Profile.
For just logon to global protect via SAML that seems ok.
But I want to use Clientless VPN with apps that also do a SAML authentication. At the moment the situation is the following:
I open the global protect portal and get redirected to the ADFS logon site (external Form authentication). I logon and get redirected to the Clientless VPN portal.
Then I click on one app which also uses SAML authentication. I expect that the app will just open because I'm already authenticated via SAML BUT I get another ADFS authentication window (internal Windows Authentication) and have to logon again.
When I then open another app from clientless vpn portal then this works via SSO.
I think that happens because ADFS cannot map my session after I'm authenticated to the global protect portal so I think there is still missing something in the configuration of the rules.
(Another information: I had to delete encryption and signature info in ADFS for the Clientless VPN party. I don't know why but I will check this later.
)
Any ideas?
Thanks!
