This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

GlobalProtect authentication with Azure SAML question for multiple portals.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

GlobalProtect authentication with Azure SAML question for multiple portals.

PA_nts
L3 Networker

‎02-01-2024 01:53 AM

Hi All,

maybe more a question for Azure, will do more research but thought in the meantime id check with the livecommunity also.

 

so trying to find out if this is possible.. not that familiar with Azure side of things.

we have 1 Panorama that manages a number of NGFWs all in their own device groups/template stacks etc.

 

FW_A has a gp portal called fwaportal.domain.com  

FW_D also has it's own portal called fwdportal.domain.com

 

so the Azure team has setup the palo alto globalprotect app and used the fqdn for 'fwaportal.domain.com' and did an export and then import into the FW_A template all good as per the doc below

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008U48CAE

 

 

now.. if we want FW_D to also start using saml - how can this be done?

can we ingest fwdportal.domain.com into the same saml config or should/can we have multiple SAML configs on Azure?

 

thanks in adv

 

0 Likes Likes
3 REPLIES 3

Claw4609
L4 Transporter

‎02-01-2024 06:57 AM

Hello,

 

Yes you can use the same Azure app and meta data for multiple GlobalProtect portals and gateways as thats what we do. On the Azure app you would need to add the additional urls under the SSO settings. 

0 Likes Likes

PA_nts
L3 Networker

‎02-01-2024 11:42 PM - edited ‎02-01-2024 11:48 PM

Thanks Claw..

one question on the sso settings.. so we can additional portal URLs under the 'identifier' and 'reply URL'. however under the 'Sign On URL', it does not have the option to add additional URLs and is currently set to 'fwaportal.domain.com '

can it be left as is or will this have any impact for users connecting to the second portal - fwdportal.domain.com 

or do we just leave this as blank?

 

 

thanks

 

0 Likes Likes

Claw4609
L4 Transporter
In response to PA_nts

‎02-02-2024 05:28 AM

Yeah you can only add one item under the sign-on url, and you cant leave it blank as its a required field. Gonna be honest not exactly sure what that piece is needed for, it may be if you initiate a connection from Azure to your GP portals webpage. We've brought down our main potal/gateway (the one we have listed in the sign on url) and been able to connect to our other ones via the same SAML Azure app. 

0 Likes Likes
  • 648 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks