08-20-2025 04:12 AM
We currently use GlobalProtect with LDAP + machine cert authentication on our production firewalls (managed by Strata Cloud Manager).
We’ve tested SAML auth via Azure AD on a non-production firewall using Cloud Identity Manager and it works fine. Now we’d like to test it on production without forcing it as the default profile (to avoid impacting live users).
On the production firewall....
I removed myself from the on prem AD group tied to the current LDAP-based auth profile.
Added the SAML (SSO with Azure AD) method as a secondary authentication method on both the portal and the gateway.
Despite this, when testing, I still get authenticated using the LDAP method rather than being redirected to Azure SSO
08-20-2025 02:01 PM
Hi @ParisVcr ,
At the moment, SAML cannot be triggered on the same GP portal/gateway that has Local/RADIUS/LDAP/TACACS configured first. Likewise, Local/RADIUS/LDAP/TACACS would not be triggered on a GP portal/gateway that has SAML configured at the top of the client auth.
For SAML to work correctly, it must be the only auth method configured for the portal/gateway (as you tested successfully in non-prod).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
