Using SAML with Global Protect Client and MS Azure

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Using SAML with Global Protect Client and MS Azure

Cyber Elite
Cyber Elite

 

We have configured global protect client 4.1.6.

We want to use MS Azure for MFA can we do this by using SAML?

MP

Help the community: Like helpful comments and mark solutions.
28 REPLIES 28

creating a cookie override  on portal  and accepting on gateway make it worked

 

MP

Help the community: Like helpful comments and mark solutions.

L7 Applicator

@MP18 wrote:

creating a cookie override  on portal  and accepting on gateway make it worked

 


Isn't this something completely different than what you were asking in your initial post?


@MP18 wrote:

We want to use MS Azure for MFA can we do this by using SAML?

 


 

I agree i should have open separte discussion for this but things happened very quickly at my end.

My apologies for that.

 

 

MP

Help the community: Like helpful comments and mark solutions.

We posted a training video explaining how to securely set up SAML authentication end-to-end against Office 365 Azure AD. The critical element which explains how to set up certificate validation of the SAML Identity Provider to address the SAML Bypass Vulnerability (CVE-2020-2021) starts at 29:35. It shows how to enable "Validate Identity Provider Certificate" and fix the commit error "Validate Identity Provider Certificate is checked but no Certificate Profile is provided authentication-profile"

Hi @LarsAtConsigas ,

What about for Okta if we don't use Azure AD for this? 

We use GlobalProtect and VPN. 

Okta's guide here says to not check the Validate Identity Provider certificate:

https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-Palo-Alto-Networks-GlobalProtect.h...

Hi @JohnQuile , I haven't worked with Okta but I imagine that the steps are very similar.

@LarsAtConsigas 

There's nowhere in Okta to import a certificate so i guess we can't do this with Okta? 

To enable "Validate IDP certificate", what certificate is required? Does an internal certificate will suffice as you have mentioned in the video? Or does it has to be public trusted certificate signed by vendor like GoDaddy, DigiCert, etc....

Because in the video, GP gateway address is an internal IP address.

 

I am using both public IP address for portal and gateway.

As this certificate is intended only for signing between two specific endpoints, you can use an internal certificate without grief.

@badamsredeyeThanks for the response I was able to get the MFA working.

 

Now I am stuck with a issue that MFA works on https page of Global Protect but it doesnt work on the Global Protect client.

Do I need to be on specific client version? I am on 5.0.x.

@raghavendra.badiger  I am having good luck with later 5.1 builds - if you're upgrading to 5.1.x, jump straight to 5.1.6 to avoid an ugly bug that we hit on Win7 machines w/5.1.4 and 5.1.5 causing them to be unable to connect entirely.

I tried on 5.1.1 however still not able to get that working on client.

@badamsredeyeDid you create any conditional access on Azure AD? When I use 5.1.6-18 it doesnt prompt me MFA, it directly connects me. Is there something you can help?

Hi there,

 

what is difference of using existing MS O365 Azure service or ADFS for SAML for GP vpn user?

 

Thanks.

  • 28504 Views
  • 28 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!