Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

authentication sequence with LDAP and SAML

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

authentication sequence with LDAP and SAML

L4 Transporter

Hi Community,

 

I have a requirement to have client authentication in globalprotect portal/gateway to have with LDAP first then another profile wich is SAML based. the requirement is to authenticate with SAML profile if LDAP auth fails. But as SAML profile cannot be added in authentication sequence, i cannot take advantage of authentication sequence. multiple entries in client authentication under portal -> authentication doesn't seems to be working as it is not trying for the next one as first entry fails. Their document says it is kind of security policy, so that the order should be more specific to general ( which apparently says the OS type is differentiator and it will not try next entry once a OS match happens). But the same document also says "If you need multiple configurations for one OS, you can further distinguish the configurations by your choice of authentication profile", which is very much confusing.

 

If anybody have any workaround or solution for achieving this, it will be helpful

 

Thanks in advance!

 

1 REPLY 1

L4 Transporter

I'm not sure whether this is possible with SAML.  I originally tested some of our GP portals/gateways w/ a RADIUS auth profile.  Once I added a SAML profile above it though, it seemed like it was one or the other (whichever was higher in the list).  You might need to consider two separate portals and gateways

 

Alternatively, you could do a single portal with LDAP auth that has a very long cookie expiration (e.g. 365 days), and two gateways (one with LDAP as the authentication, and one with SAML) that have much shorter cookie time-outs (e.g. 8 hours).  The LDAP gateway could be set to high priority, and the SAML gateway could be set to manual only in the portal agent config.  If the user is unable to authenticate with LDAP, they could choose the SAML gateway instead.

  • 6525 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!