05-09-2020 10:12 AM
I have a requirement to have client authentication in globalprotect portal/gateway to have with LDAP first then another profile wich is SAML based. the requirement is to authenticate with SAML profile if LDAP auth fails. But as SAML profile cannot be added in authentication sequence, i cannot take advantage of authentication sequence. multiple entries in client authentication under portal -> authentication doesn't seems to be working as it is not trying for the next one as first entry fails. Their document says it is kind of security policy, so that the order should be more specific to general ( which apparently says the OS type is differentiator and it will not try next entry once a OS match happens). But the same document also says "If you need multiple configurations for one OS, you can further distinguish the configurations by your choice of authentication profile", which is very much confusing.
If anybody have any workaround or solution for achieving this, it will be helpful
Thanks in advance!
05-14-2020 08:40 AM
I'm not sure whether this is possible with SAML. I originally tested some of our GP portals/gateways w/ a RADIUS auth profile. Once I added a SAML profile above it though, it seemed like it was one or the other (whichever was higher in the list). You might need to consider two separate portals and gateways
Alternatively, you could do a single portal with LDAP auth that has a very long cookie expiration (e.g. 365 days), and two gateways (one with LDAP as the authentication, and one with SAML) that have much shorter cookie time-outs (e.g. 8 hours). The LDAP gateway could be set to high priority, and the SAML gateway could be set to manual only in the portal agent config. If the user is unable to authenticate with LDAP, they could choose the SAML gateway instead.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!