Cert profile and SAML to Azure with GP Gateway Machine Cert Possible?

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L4 Transporter

Cert profile and SAML to Azure with GP Gateway Machine Cert Possible?

Is it possible to use a Certificate Profile to verify a machine on your GP Gateway, all while using SAML authentication to Azure?  SAML to our Azure instance works great for us now, but does the firewall use the certificate profile only as a 'pre-logon' user, or initial challenge, and then still send the user to azure to complete SAML authentication?     Considering using certificates to verify machines, but still want to use SAML.   We have Azure joined machines and thinking they have a certificate on them somewhere with a CA we could utilize. Looking to Add device authentication from an Azure joined/trusted machine, and still use SAML for users.   


Accepted Solutions
Highlighted
L4 Transporter

Yes, this is perfectly possible.  We do this w/ our SAML authentication.  If you add a certificate profile under your-GP-portal (or gateway) > Authentication > Certificate Profile, any client that connects to that portal/gateway will need a cert signed by that CA.  You can still use SAML authentication for the user.  From the documentation:

Certificate Profile
(Optional) Select the Certificate Profile the gateway uses to match those client certificates that come from user endpoints. With a Certificate Profile, the gateway authenticates the user only if the certificate from the client matches this profile.
If you set the Allow Authentication with User Credentials OR Client Certificate option to No, you must select a Certificate Profile. If you set the Allow Authentication with User Credentials OR Client Certificate option to Yes, the Certificate Profile is optional.
The certificate profile is independent of the OS.



View solution in original post


All Replies
Highlighted
L4 Transporter

Yes, this is perfectly possible.  We do this w/ our SAML authentication.  If you add a certificate profile under your-GP-portal (or gateway) > Authentication > Certificate Profile, any client that connects to that portal/gateway will need a cert signed by that CA.  You can still use SAML authentication for the user.  From the documentation:

Certificate Profile
(Optional) Select the Certificate Profile the gateway uses to match those client certificates that come from user endpoints. With a Certificate Profile, the gateway authenticates the user only if the certificate from the client matches this profile.
If you set the Allow Authentication with User Credentials OR Client Certificate option to No, you must select a Certificate Profile. If you set the Allow Authentication with User Credentials OR Client Certificate option to Yes, the Certificate Profile is optional.
The certificate profile is independent of the OS.



View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!