So the Azure guy set it up, but then made me the owner so I can edit as needed. I think the part that isn't clicking in my head is right now I have the CP running through GlobalProtect.
If I click on Test in Azure, I get the push notification on my phone, I click approve and then browser opens a new tab with the Palo logo on the tab and it says 502 Bad gateway and the URL is https://website:6082/SAML20/SP/ACS
The link listed in Network > GlobalProtect > Portals > MY_Portal > Agent is https://website:6082
I think this is doable, I just haven't found any good instructions on how to do this.
FYI, I really appreciate your time in speaking with me.
While i do not know if this is possible, I do find it intriguing. I know the captive portal page can be modified, not sure if to the extent of what you are looking for however. Perhaps an SSO or SAML solution would work if you already have one?
Just throwing out ideas.
This should get you pretty close:
Set up GlobalProtect
Add the new captive portal to the portal agent configuration - Network > GlobalProtect > Portals > GP_Portal > Agent
Alias to point to VLAN 961 Example: server.mfa.company.com 10.10.10.10
Set up Azure
Basic SAML Configuration
Identifier (Entity ID) https://server.mfa.company.com:6082/SAML20/SP
Reply URL (Assertion Consumer Service URL) https://server.mfa.company.com:6082/SAML20/SP/ACS
Federation Metadata XML Download
Set up Palo Alto:
SAML Identity Provider
Device > Server Profiles > SAML Identity Provider > Import
Device > Authentication Profile > Add
Type = SAML
IDP Server Profile = SAML Identity Provider created above
Username Attribute = username
Advanced Tab > Allow List = all
Objects > Authentication > Add
Authentication Method = web-form
Authentication Profile = Authentication Profile created above
Policies > Authentication > Pre Rules > Add
Action Tab > Authentication Enforcement > Authentication Object created above
Let me know if you have any questions.
Thank you RobertShawver! I appreciate the help. When you mentioned adding new captive portal to portal agent configuration, where do i put that? Is that under the App tab of the portal agent configuration? My guess is under trusted MFA Gateways as described in Step 6, item 3, from the following document: Configure GlobalProtect to Facilitate Multi-Factor Authenti... (paloaltonetworks.com) Piecing things from different places.
Another question: server.mfa.company.com, does that have to externally resolve? The azureadminblog post seemed to indicate you only need internal, but someone told me it needs to be external for azure to talk to it.
@RobertShawver getting close, but not there yet. Browser based applications I get redirected over http to azure, but after trying to authenticate i get AADSTS700016 Application with identifier 'https://cp.domain.com:6082/saml20/sp' was not found in the directory... Also, not getting the notification from GlobalProtect when attempting non-browser based. Appreciate any help.
Hey Chris -
I'll admit that troubleshooting without seeing your setup is a bit of a challenge.
What I did was follow these instructions but with these caveats:
Step 2: Add a SAML IDP
Step 3: Skip this step (this is why it took me so long to get this going, it took me awhile to figure out that I needed to skip step 3.)
I suspect you may have the same issue as I seem to remember that error you spoke about.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!