Global Protect - valid certificate when using Azure SAML authentication

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Global Protect - valid certificate when using Azure SAML authentication

L3 Networker

In logging I can see that  SAML authentication via Azure is succeeding. However my GP client is

failing to successfully connect I believe for some deficiency in the certificate. I have a self signed

certificate in a cert profile at the portal and gateway for this GP On Demand setup. Authentication

is set to require certificate *and* user ID/password. (Soon this will be MFA. But first things first.) 

 

Can a self signed certificate serve the need in this case? What properties would need to be

in such a self signed certificate to get GP connect? Thank you.

 

2 accepted solutions

Accepted Solutions

Cyber Elite
Cyber Elite

@MichaelMedwid,

First, I would never recommend using a self-signed certificate with GlobalProtect. Either get the certificate issued by your internal CA or have it signed by a public trusted CA. Second, taking away SAML authentication for a second is this an existing working configuration or something you're just trying to get setup? 

View solution in original post

L3 Networker

@MichaelMedwid 

As BPry mentioned, you should get a CA certificate for the GP portal and gateways.
In addition to that, you need to export the Microsoft Azure Federated SSO Certificate from the Azure Portal and import it to the firewall (Device -> Certificate Management -> Certificates).

 

The following KB shows how to set up Azure SAML authentication with GlobalProtect, but this export/import certificate step is missing.

How to setup Azure SAML authentication with GlobalProtect
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008U48CAE

 

You may refer to this KB for the SAML IdP.
Identity Provider Configuration for SAML
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXPCA2

 

Hope this helps!

--
"The Simplicity is the ultimate sophistication." - Leonardo da Vinci.

View solution in original post

2 REPLIES 2

Cyber Elite
Cyber Elite

@MichaelMedwid,

First, I would never recommend using a self-signed certificate with GlobalProtect. Either get the certificate issued by your internal CA or have it signed by a public trusted CA. Second, taking away SAML authentication for a second is this an existing working configuration or something you're just trying to get setup? 

L3 Networker

@MichaelMedwid 

As BPry mentioned, you should get a CA certificate for the GP portal and gateways.
In addition to that, you need to export the Microsoft Azure Federated SSO Certificate from the Azure Portal and import it to the firewall (Device -> Certificate Management -> Certificates).

 

The following KB shows how to set up Azure SAML authentication with GlobalProtect, but this export/import certificate step is missing.

How to setup Azure SAML authentication with GlobalProtect
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008U48CAE

 

You may refer to this KB for the SAML IdP.
Identity Provider Configuration for SAML
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXPCA2

 

Hope this helps!

--
"The Simplicity is the ultimate sophistication." - Leonardo da Vinci.
  • 2 accepted solutions
  • 7963 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!