Cert profile and SAML to Azure with GP Gateway Machine Cert Possible?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Cert profile and SAML to Azure with GP Gateway Machine Cert Possible?

L4 Transporter

Is it possible to use a Certificate Profile to verify a machine on your GP Gateway, all while using SAML authentication to Azure?  SAML to our Azure instance works great for us now, but does the firewall use the certificate profile only as a 'pre-logon' user, or initial challenge, and then still send the user to azure to complete SAML authentication?     Considering using certificates to verify machines, but still want to use SAML.   We have Azure joined machines and thinking they have a certificate on them somewhere with a CA we could utilize. Looking to Add device authentication from an Azure joined/trusted machine, and still use SAML for users.   

1 accepted solution

Accepted Solutions

L4 Transporter

Yes, this is perfectly possible.  We do this w/ our SAML authentication.  If you add a certificate profile under your-GP-portal (or gateway) > Authentication > Certificate Profile, any client that connects to that portal/gateway will need a cert signed by that CA.  You can still use SAML authentication for the user.  From the documentation:

Certificate Profile
(Optional) Select the Certificate Profile the gateway uses to match those client certificates that come from user endpoints. With a Certificate Profile, the gateway authenticates the user only if the certificate from the client matches this profile.
If you set the Allow Authentication with User Credentials OR Client Certificate option to No, you must select a Certificate Profile. If you set the Allow Authentication with User Credentials OR Client Certificate option to Yes, the Certificate Profile is optional.
The certificate profile is independent of the OS.



View solution in original post

1 REPLY 1

L4 Transporter

Yes, this is perfectly possible.  We do this w/ our SAML authentication.  If you add a certificate profile under your-GP-portal (or gateway) > Authentication > Certificate Profile, any client that connects to that portal/gateway will need a cert signed by that CA.  You can still use SAML authentication for the user.  From the documentation:

Certificate Profile
(Optional) Select the Certificate Profile the gateway uses to match those client certificates that come from user endpoints. With a Certificate Profile, the gateway authenticates the user only if the certificate from the client matches this profile.
If you set the Allow Authentication with User Credentials OR Client Certificate option to No, you must select a Certificate Profile. If you set the Allow Authentication with User Credentials OR Client Certificate option to Yes, the Certificate Profile is optional.
The certificate profile is independent of the OS.



  • 1 accepted solution
  • 2993 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!