10-30-2018 08:49 AM
We have configured global protect client 4.1.6.
We want to use MS Azure for MFA can we do this by using SAML?
10-31-2018 04:12 PM
creating a cookie override on portal and accepting on gateway make it worked
10-31-2018 05:46 PM
I agree i should have open separte discussion for this but things happened very quickly at my end.
My apologies for that.
06-30-2020 12:19 AM
We posted a training video explaining how to securely set up SAML authentication end-to-end against Office 365 Azure AD. The critical element which explains how to set up certificate validation of the SAML Identity Provider to address the SAML Bypass Vulnerability (CVE-2020-2021) starts at 29:35. It shows how to enable "Validate Identity Provider Certificate" and fix the commit error "Validate Identity Provider Certificate is checked but no Certificate Profile is provided authentication-profile"
06-30-2020 08:11 PM
Hi @LarsAtConsigas ,
What about for Okta if we don't use Azure AD for this?
We use GlobalProtect and VPN.
Okta's guide here says to not check the Validate Identity Provider certificate:
06-30-2020 10:34 PM
Hi @JohnQuile , I haven't worked with Okta but I imagine that the steps are very similar.
07-01-2020 07:13 AM
There's nowhere in Okta to import a certificate so i guess we can't do this with Okta?
08-19-2020 12:16 AM
To enable "Validate IDP certificate", what certificate is required? Does an internal certificate will suffice as you have mentioned in the video? Or does it has to be public trusted certificate signed by vendor like GoDaddy, DigiCert, etc....
Because in the video, GP gateway address is an internal IP address.
I am using both public IP address for portal and gateway.
09-13-2020 05:19 PM
As this certificate is intended only for signing between two specific endpoints, you can use an internal certificate without grief.
09-20-2020 09:16 PM
@badamsredeyeThanks for the response I was able to get the MFA working.
Now I am stuck with a issue that MFA works on https page of Global Protect but it doesnt work on the Global Protect client.
Do I need to be on specific client version? I am on 5.0.x.
09-21-2020 01:29 AM
@raghavendra.badiger I am having good luck with later 5.1 builds - if you're upgrading to 5.1.x, jump straight to 5.1.6 to avoid an ugly bug that we hit on Win7 machines w/5.1.4 and 5.1.5 causing them to be unable to connect entirely.
09-21-2020 02:27 AM
I tried on 5.1.1 however still not able to get that working on client.
09-21-2020 04:54 AM
@badamsredeyeDid you create any conditional access on Azure AD? When I use 5.1.6-18 it doesnt prompt me MFA, it directly connects me. Is there something you can help?
05-17-2022 06:19 PM
Hi there,
what is difference of using existing MS O365 Azure service or ADFS for SAML for GP vpn user?
Thanks.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
