ADFS SAML Configuration

Reply
Highlighted
L1 Bithead

I just recently was able to get GP to authenticate to ADFS using SAML with the help of support.  Here are some hints that worked for me.

 

1. GP 4.0.3 has a bug, so I needed to use either GP 4.0.2 or GP 4.0.4

2. ADFS is configured with a Custom Claim Rule, a Transform rule to map SessionID to NameID (using transient identifier) and another Transform rule to map Windows Account Name to username

3. username is used for Username Attribute in the SAML auth profile

 

Let me know if that helps you.

 

Ian

Highlighted
L1 Bithead

Hi,

 

can you add a screenshot of your rules?

 

Thanks

Highlighted
L1 Bithead

After a lot of trying I'm at the point that I can login via SAML to global protect. I'm using three rules in ADFS configuration:

1. Rule:

2017-11-11 05_48_08-RDP-Manager.png

 

c1:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
 && c2:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant"]
 => add(store = "_OpaqueIdStore", types = ("http://mycompany/internal/sessionid"), query = "{0};{1};{2};{3};{4}", param = "useEntropy", param = c1.Value, param = c1.OriginalIssuer, param = "", param = c2.Value);

2. Rule:

2017-11-11 05_48_32-RDP-Manager.png

3. Rule:

2017-11-11 05_48_55-RDP-Manager.png

I use sAMAccountName instead of username in my Authentication Profile.

2017-11-11 05_52_00-flg-pa-panorama.png

 

For just logon to global protect via SAML that seems ok. 

 

But I want to use Clientless VPN with apps that also do a SAML authentication. At the moment the situation is the following:

 

I open the global protect portal and get redirected to the ADFS logon site (external Form authentication). I logon and get redirected to the Clientless VPN portal.

Then I click on one app which also uses SAML authentication. I expect that the app will just open because I'm already authenticated via SAML BUT I get another ADFS authentication window (internal Windows Authentication) and have to logon again. 

When I then open another app from clientless vpn portal then this works via SSO.

 

I think that happens because ADFS cannot map my session after I'm authenticated to the global protect portal so I think there is still missing something in the configuration of the rules.

 

(Another information: I had to delete encryption and signature info in ADFS for the Clientless VPN party. I don't know why but I will check this later.

2017-11-11 06_01_53-RDP-Manager.png2017-11-11 06_02_08-RDP-Manager.png

)

 

Any ideas?

 

Thanks!

 

Highlighted
L1 Bithead

I'm sorry, but I don't have any ideas for use with clientless vpn.  I've only been focusing on GP.  Right now I'm working through issues with the signing certificate verification and the signing of SAML requests to the iDP.  Maybe my eventual findings here might help you with your last comment.

Highlighted
L1 Bithead

But can you add screenshots of your ADFS rules?

 

Thanks!

Highlighted
L1 Bithead

Custom Claim RuleCustom Claim RuleTransform Name IDTransform Name IDTransform accountnameTransform accountname

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!