04-14-2025 04:27 AM
I would like to know if it is possible to configure SAML to authenticate and in case something in the SAML part is not working, certificate authentication is used. This is for GP authentication.
So SAML + certificate auth (backup option).
I understand that i will need a authprofile with SAML auth. But where can i choose the backup auth by certificate?
04-14-2025 05:43 AM
I am not aware of straight forward way to achieve this.
Only way to have backup auth would be to use auth sequence but you can't use SAML with auth sequence.
With DUO 2FA you could set it as LDAP proxy in between Palo and AD.
This would allow to use auth sequence and use secondary auth profile if first is not accessible.
04-14-2025 06:04 AM
So Can i create a auth sequence 1) SAML 2) LDAP (just in case SAML fails) ??
Because if i have only SAML and anything in SAML part goes down, i would have outage. RIght?
04-14-2025 06:11 AM
No SAML and auth sequence are not compatible.
If you use SAML you can't use auth sequence.
If you reconfigure your 2FA to use LDAP instead of SAML then you can accomplish redundancy.
04-14-2025 06:42 AM
So if we use SAML (EntraID) for 2FA and we dont have any backup authentication.what would it be if anything in EntraID is down? what is recommended in this case?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
