01-06-2023 02:21 PM
Is a user able to update their password (when its expired or a force change is required) in Global Protect when using SAML Azure AD authentication? There is this older document saying its possible when using Radius with PEAP-MSCHAPv2 authentication but I'm wondering about SAML.
Expired Active Directory Password Change for Remote Users (paloaltonetworks.com)
01-07-2023 06:57 AM
Hello there. I looked for the article in the current versions of GP Admin Guide and did not find a listing to reset their passwords.
There are choices that can be utilized.
The first is VPN with prelogon (not On Demand)
To enable users to connect and change their expired passwords without administrative
intervention, consider using Remote Access VPN with Pre-Logon.
If a user’s password expires, you can assign a temporary LDAP password to enable
them to log in to GlobalProtect. In this case, the temporary password may be used to
authenticate to the portal, but the gateway login may fail because the same temporary
password cannot be re-used. To prevent this issue, configure an authentication
override in the portal configuration (Network > GlobalProtect > Portal) to enable the
GlobalProtect app to use a cookie to authenticate to the portal and the temporary
password to authenticate to the gateway..
The second choice is that I am pretty sure that O365 or other current MS cloud solutions have a portal where a user can reset their password. I guess this would be outside of GP, which was your request... to change it on GP.. and I do not think that is supported.
What other questions may I answer for you?
01-07-2023 06:57 AM
Hello there. I looked for the article in the current versions of GP Admin Guide and did not find a listing to reset their passwords.
There are choices that can be utilized.
The first is VPN with prelogon (not On Demand)
To enable users to connect and change their expired passwords without administrative
intervention, consider using Remote Access VPN with Pre-Logon.
If a user’s password expires, you can assign a temporary LDAP password to enable
them to log in to GlobalProtect. In this case, the temporary password may be used to
authenticate to the portal, but the gateway login may fail because the same temporary
password cannot be re-used. To prevent this issue, configure an authentication
override in the portal configuration (Network > GlobalProtect > Portal) to enable the
GlobalProtect app to use a cookie to authenticate to the portal and the temporary
password to authenticate to the gateway..
The second choice is that I am pretty sure that O365 or other current MS cloud solutions have a portal where a user can reset their password. I guess this would be outside of GP, which was your request... to change it on GP.. and I do not think that is supported.
What other questions may I answer for you?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
