We have a GP configuration with 8 GP Gateways and 2 of them are acting as a GP Portal for backup.
We are using SAML authentication with Azure and wanted to know how to you deploy GP with SAML authentication in large scale.
Currently I have configured 3 SAML apps on Azure one for each PA device but I think it is not the right configuration since now I am getting that each SAML App's domain need to be unique and the Portal domain is for example: vpn.company.com and I need to deploy it to 2 SAML Apps.
My assumptions are that because we only use SP Initiated SAML authentication meaning that the authentication process starts at the PA device I can just add all of the domains that are relevant on a single SAML App and install that Metadata file on all of the Pas. Am I right ?
Yes i've add both PA URL's in Azure in the same app, see below.
In our case we use an Azure Loadbalancer for the balanced portal configuration.
That portal points to the direct addresses of the firewall for the gateway connectivity.
The whole point of SSO/SAML is to use a single identity provider/authentication provider (Azure AD in this case) and have multiple serviceproviders (GP Portal and Gateways in this case) use it.
yes it is working as i described, 1 enterprise SAML application with all the domains that your PA are using by the way if you have a lot i thing your can use *.my.domain for example (although i don't think it is best practice)
if you have problems you can try the "miniOrange SAML Tracer" extention maybe you will see the SAML Assertions
Thank you for the reply, I use the Globalprotect portal in Azure, like this, "vpn-xxx.domain.com" and it's working fine. For gateway , its running in on-prem firewall "vpn-yyy.domain.com" , I have added vpn-yyy.domain.com in the "vpn-xxx.domain.com" ( same Azure Enterprise app) and imported metadata. Still not working. I'll try the fresh installation.
Hi @BalaBWV , if AAD responds with "invalid identifier" make sure you've included the port in the Entity ID in the Enterprise app like in @sebastianvd's screenshot, i.e. https://vpn-yyy.domain.com:443/SAML20/SP as that is what the auth profile presents to the client / SP in the request. As long as you have both identities and ACS included in the app it should work for both portal and gateway.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!