This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

authentication sequence with LDAP and SAML

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

authentication sequence with LDAP and SAML

Abdul_Razaq
L4 Transporter

‎05-09-2020 10:12 AM

Hi Community,

 

I have a requirement to have client authentication in globalprotect portal/gateway to have with LDAP first then another profile wich is SAML based. the requirement is to authenticate with SAML profile if LDAP auth fails. But as SAML profile cannot be added in authentication sequence, i cannot take advantage of authentication sequence. multiple entries in client authentication under portal -> authentication doesn't seems to be working as it is not trying for the next one as first entry fails. Their document says it is kind of security policy, so that the order should be more specific to general ( which apparently says the OS type is differentiator and it will not try next entry once a OS match happens). But the same document also says "If you need multiple configurations for one OS, you can further distinguish the configurations by your choice of authentication profile", which is very much confusing.

 

If anybody have any workaround or solution for achieving this, it will be helpful

 

Thanks in advance!

 

6 people had this problem.
0 Likes Likes
1 REPLY 1

OwenFuller
L4 Transporter

‎05-14-2020 08:40 AM

I'm not sure whether this is possible with SAML.  I originally tested some of our GP portals/gateways w/ a RADIUS auth profile.  Once I added a SAML profile above it though, it seemed like it was one or the other (whichever was higher in the list).  You might need to consider two separate portals and gateways

 

Alternatively, you could do a single portal with LDAP auth that has a very long cookie expiration (e.g. 365 days), and two gateways (one with LDAP as the authentication, and one with SAML) that have much shorter cookie time-outs (e.g. 8 hours).  The LDAP gateway could be set to high priority, and the SAML gateway could be set to manual only in the portal agent config.  If the user is unable to authenticate with LDAP, they could choose the SAML gateway instead.

0 Likes Likes
  • 5616 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks