Okta SAML Auth with Push Only for VPN (SSO for Okta Login)

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Okta SAML Auth with Push Only for VPN (SSO for Okta Login)

L1 Bithead

Is it possible to configure Global Protect VPN connection such that....


  1. Pre-logon connects user during login
  2. After login, they get prompted to Okta login to proceed to user session (vs pre-logon session)
  3. Okta SSO works so they do not need to re-enter their AD credentials - this requires the pre-login tunnel to stay up while authenticating user
  4. Push auth w/ Okta for MFA


...or maybe this way....


  1. User logs into laptop with cache credentials
  2. User initiates VPN connection
  3. VPN authentication staged in such a way that it allows connection to the SSO server internally, so that Okta can SSO the user, then initiate a push before sending SAML auth and establishing full tunnel?


The goal I am trying to accomplish is really one basic thing: if the user logs into their laptop I want that to be FIRST FACTOR and for them to not be asked for it again (SSO).  But I want to secure full VPN tunnel w/ a second factor, and I want "push" or "enter code" from Okta mobile app to be that.  Problem is, Okta has not authenticated the remote user and SSO only works if the Okta SSO/IWA server is accessible to the host (and that server is in back office, and it's not secure to expose it to WAN)....so I am kind of in a pickle here (quite an annoying one if you ask me).  Once VPN is up - SSO works great!  Go figure.


I hope I am making sense!


L0 Member

Did you have any luck with this? We are trying to accompish something similar with Duo. 

Yes and no.  We got this working w/ Duo cause their RADIUS agent can be customized such that a single method of 2FA is required.  Therefore the cache reds in GP client work great, and then the user receives a transparant push to their phone. 


In talking w/ local Palo field office here, they are suggesting a more interesting way of approaching this.  We can run always on VPN for laptops so that as soon as they go online their web traffic is routed through the VPN and it's seen as VPN->WAN (zone).  We can allow tokenized logins this way (no user password required).  Then, when they attempt to connect to a resource such as VPN->LAN the SAML auth will kick in using their MFA feature on the firewall.  The MFA feature can be app based, protocol based or zone based I think.  We are barely beginning to explore this.

Note: one drawback to this design is that you cannot connect to VPN without your mobile device being online.  This becomes an issue on airplanes.  YMMV

L1 Bithead


Did pre-login and SAML worked  together in one scenario? 

L0 Member

How did you get Okta working with VPN? I've had 7 different Palo Alto tech's try to help me set it up but I receive an authentication error after it signs in through the Okta splash page. No issues for the web ui portal to download Global Protect only an issue when we try to use Global Protect Windows App.

Hi, any solution to the Global Protect issue?

  • 6 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!