11-02-2021 01:23 PM
In logging I can see that SAML authentication via Azure is succeeding. However my GP client is
failing to successfully connect I believe for some deficiency in the certificate. I have a self signed
certificate in a cert profile at the portal and gateway for this GP On Demand setup. Authentication
is set to require certificate *and* user ID/password. (Soon this will be MFA. But first things first.)
Can a self signed certificate serve the need in this case? What properties would need to be
in such a self signed certificate to get GP connect? Thank you.
11-07-2021 07:18 AM
First, I would never recommend using a self-signed certificate with GlobalProtect. Either get the certificate issued by your internal CA or have it signed by a public trusted CA. Second, taking away SAML authentication for a second is this an existing working configuration or something you're just trying to get setup?
11-17-2021 04:58 PM
As BPry mentioned, you should get a CA certificate for the GP portal and gateways.
In addition to that, you need to export the Microsoft Azure Federated SSO Certificate from the Azure Portal and import it to the firewall (Device -> Certificate Management -> Certificates).
The following KB shows how to set up Azure SAML authentication with GlobalProtect, but this export/import certificate step is missing.
How to setup Azure SAML authentication with GlobalProtect
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008U48CAE
You may refer to this KB for the SAML IdP.
Identity Provider Configuration for SAML
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXPCA2
Hope this helps!
11-07-2021 07:18 AM
First, I would never recommend using a self-signed certificate with GlobalProtect. Either get the certificate issued by your internal CA or have it signed by a public trusted CA. Second, taking away SAML authentication for a second is this an existing working configuration or something you're just trying to get setup?
11-17-2021 04:58 PM
As BPry mentioned, you should get a CA certificate for the GP portal and gateways.
In addition to that, you need to export the Microsoft Azure Federated SSO Certificate from the Azure Portal and import it to the firewall (Device -> Certificate Management -> Certificates).
The following KB shows how to set up Azure SAML authentication with GlobalProtect, but this export/import certificate step is missing.
How to setup Azure SAML authentication with GlobalProtect
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008U48CAE
You may refer to this KB for the SAML IdP.
Identity Provider Configuration for SAML
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXPCA2
Hope this helps!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
