GlobalProtect authentication with Azure SAML question for multiple portals.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

GlobalProtect authentication with Azure SAML question for multiple portals.

L3 Networker

Hi All,

maybe more a question for Azure, will do more research but thought in the meantime id check with the livecommunity also.

 

so trying to find out if this is possible.. not that familiar with Azure side of things.

we have 1 Panorama that manages a number of NGFWs all in their own device groups/template stacks etc.

 

FW_A has a gp portal called fwaportal.domain.com  

FW_D also has it's own portal called fwdportal.domain.com

 

so the Azure team has setup the palo alto globalprotect app and used the fqdn for 'fwaportal.domain.com' and did an export and then import into the FW_A template all good as per the doc below

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008U48CAE

 

 

now.. if we want FW_D to also start using saml - how can this be done?

can we ingest fwdportal.domain.com into the same saml config or should/can we have multiple SAML configs on Azure?

 

thanks in adv

 

3 REPLIES 3

Cyber Elite
Cyber Elite

Hello,

 

Yes you can use the same Azure app and meta data for multiple GlobalProtect portals and gateways as thats what we do. On the Azure app you would need to add the additional urls under the SSO settings. 

L3 Networker

Thanks Claw..

one question on the sso settings.. so we can additional portal URLs under the 'identifier' and 'reply URL'. however under the 'Sign On URL', it does not have the option to add additional URLs and is currently set to 'fwaportal.domain.com '

can it be left as is or will this have any impact for users connecting to the second portal - fwdportal.domain.com 

or do we just leave this as blank?

 

 

thanks

 

Yeah you can only add one item under the sign-on url, and you cant leave it blank as its a required field. Gonna be honest not exactly sure what that piece is needed for, it may be if you initiate a connection from Azure to your GP portals webpage. We've brought down our main potal/gateway (the one we have listed in the sign on url) and been able to connect to our other ones via the same SAML Azure app. 

  • 1212 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!