01-19-2024 01:00 AM
Hello
Currently, we have ou GP configured to use our local Active Directory for authentication.
Is easy to configure GP to use AzureAD authentication and to use Microsoft MFA ?
BR
01-19-2024 02:13 AM
yes!
in azure you can create an enterprise application, look for "palo alto networks - globalprotect"
go through the steps to enable SSO
the only caveat is that you need to craft your identifier and reply url to contain :443
export the federation metadata xml and import that into the palo as a SAML server profile
01-19-2024 02:18 AM
Thank you.
How I can configure GP to force user to enter AzureAD crendentials and not automatically authenticated on GP when I start the GP application ?
BR
01-19-2024 04:54 AM
I configured the SAML and it's seem to be working but, when I used internal LDAP to authenticate on GP client, I need always enter my credentials but when I switch to the SAML auth, when I start the GP client, I'm directly connected without to enter credentials...
01-29-2024 03:20 PM
I have dug into this before and my conclusion is that you can not force reauthentication when using AzureAD SAML with GlobalProtect.
If the user has already signed in to AzureAD then Single-Sign-On principles will take effect. Authentication will be completed using a cookie in the browser in a simple case. If it is a Windows device that is AzureAD Joined or Hybrid AzureAD Joined then the Primary Refresh Token (PRT) will be used. There are more potential methods depending on OS and settings.
You might be able to use Sign-In-Frequency (SIF) in AzureAD Conditional Access, but if the device is joined to AzureAD then it probably won't work how you expect.
AzureAD does support a parameter called ForceAuthN which states
> If true, it means that the user will be forced to re-authenticate, even if they have a valid session with Microsoft Entra ID
However, I do not see any way to tell PaloAlto to use this parameter. I've been considering making a feature request to PaloAlto to allow this parameter to be set. I've found threads where people use it with Checkpoint and Meraki VPNs.
I have some saved links that may help you
https://www.reddit.com/r/AZURE/comments/xrupux/conditional_access_require_mfa_every_single_time/
https://learn.microsoft.com/en-us/entra/identity-platform/single-sign-on-saml-protocol#authnrequest
https://community.checkpoint.com/t5/Remote-Access-VPN/Azure-SAML-Auth-forceAuthn-true/td-p/181467
03-11-2024 10:29 AM
As an update to my previous reply, a couple weeks ago Microsoft did announce support for additional capabilities with Conditional Access. This includes
> now you can require reauthentication for any resource protected by Conditional Access
Using this Conditional Access capability should satisfy the requirement "I need always enter my credentials".
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
