- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
05-07-2024 09:42 AM
Greetings all, I hope you can help me.
I currently have Globalprotect set up on a single firewall - both portal and gateway. We're using Radius for authentication, it is working well.
We want to transition to SAML. For testing purposes, we'd like to have SAML configured for a specific test user (or group), while leaving the current authentication scheme in place.
Reordering "Client authentication" does not do it - if I put "SAML-GP" in the first position, SAML works, but no one else can authenticate. I'm not sure I understand why client authentication order can be changed, but that's the behavior I'm getting.
I'd RATHER not re-ip everything. I'm thinking that a separate portal with different public IP is the answer; do I have to add a second gateway, too?
I don't THINK I do, if I simply specify the current gateway in the portal config.
Thoughts? Am I overcomplicating things?
Thanks!
Iain
05-07-2024 09:59 AM
If you move SAML to the top then SAML takes precedence because your OS type is "any".
You can't use both SAML and RADIUS on same portal/gateway at the same time for different groups of users.
05-08-2024 06:04 AM
Yes you can.
Keep portal as is and set up new gateway.
Using user or group membership point some users to new gateway.
05-08-2024 06:44 AM
@mannix wrote:
Greetings all, I hope you can help me.
I currently have Globalprotect set up on a single firewall - both portal and gateway. We're using Radius for authentication, it is working well.
We want to transition to SAML. For testing purposes, we'd like to have SAML configured for a specific test user (or group), while leaving the current authentication scheme in place.
Reordering "Client authentication" does not do it - if I put "SAML-GP" in the first position, SAML works, but no one else can authenticate. I'm not sure I understand why client authentication order can be changed, but that's the behavior I'm getting.
I'd RATHER not re-ip everything. I'm thinking that a separate portal with different public IP is the answer; do I have to add a second gateway, too?
I don't THINK I do, if I simply specify the current gateway in the portal config.
Thoughts? Am I overcomplicating things?
Thanks!
Iain
We've recently switched to SAML auth for our GP, and we're told that if using SAML for auth that is the only auth mechanism that can be used. So no matter how many mechanism you use in an auth profile if SAML is there only SAML will be used.
Not too sure how accurate that is, but that's what we were told from our SE.
05-08-2024 07:25 AM
What about the inverse - adding a portal, and within that portal, configure my existing external gateway?
I'm trying to create a situation where I can have test users authenticate with saml/Azure, without impacting our existing users.
My thought was to create a second portal, with a different public IP/natted to a loopback. Check "Generate cookie for authentication override" in the authentication portion of the portal config.
That way, I can configure portal2 to use SAML, other users will be none the wiser.
What am I missing? I _THINK_ this will work.
Thanks!
Iain
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!