Piggyback off Shibboleth SP for GlobalProtect portal/gateway Authentication

hakasapl · ‎08-24-2020

Hello,

We have a shibboleth SP setup on our web server which has a discovery service built-in, so that users can authenticate against a number of different endpoints. Is there any way to carry over that configuration to a palo alto SAML authentication profile?

The general sequence of events:

1. User wants to access private webpage

2. Redirected to endpoint select, where there is a dropdown

3. Select an endpoint, continue, which then goes to the endpoint's IDP authentication page.

4. Authentication successful

I'm having trouble wrapping my head around this as an authentication profile. Can I reference the endpoint select webpage as the SSO url?

khans · ‎09-05-2020

PanOS supports SP initiated auth, where SP will be your GlobalProtect Portal and/or Gateway FQDN.

You can use Shibboleth as the IdP and import the metadata to the firewall, then set up the authentication profile, to authenticate to the Portal or gateway or both. Please have a look at the doc below

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/authentication/configure-saml-authenticati...

hakasapl · ‎09-05-2020

Hello,

I've attempted doing this, but I've experienced another hiccup. When I try to authenticate against the portal, I get the correct shibboleth SSO page, and I am able to sign in successfully. After I sign in, it doesn't recognize that I've signed in. Is there some SAML message that needs to be passed back to the palo for it to know that I've successfully authenticated?

Right now after I sign it just stays at the landing page, without doing anything.

- Hakan

hakasapl · ‎09-05-2020

<!--
This is example metadata only. Do *NOT* supply it as is without review,
and do *NOT* provide it in real time to your partners.
 -->
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_82c9e1d51d701bd75df3ad69a6bf8db222c530d2" entityID="https://unity.rc.umass.edu/shibboleth">

  <md:Extensions xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport">
    <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
    <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384"/>
    <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
    <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha224"/>
    <alg:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"/>
    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384"/>
    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/>
    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224"/>
    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"/>
    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
    <alg:SigningMethod Algorithm="http://www.w3.org/2009/xmldsig11#dsa-sha256"/>
    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"/>
    <alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
    <alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
  </md:Extensions>

  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:1.0:protocol">
    <md:Extensions>
      <init:RequestInitiator xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="https://unity.rc.umass.edu/Shibboleth.sso/Login"/>
      <idpdisc:DiscoveryResponse xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://unity.rc.umass.edu/Shibboleth.sso/Login" index="1"/>
    </md:Extensions>
    <md:KeyDescriptor>
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:KeyName>https://unity.rc.umass.edu/shibboleth</ds:KeyName>
        <ds:KeyName>unity.rc.umass.edu</ds:KeyName>
        <ds:X509Data>
          <ds:X509SubjectName>CN=unity.rc.umass.edu</ds:X509SubjectName>
          <ds:X509Certificate>MIIEJDCCAoygAwIBAgIJAOzitNv/fB6IMA0GCSqGSIb3DQEBCwUAMB0xGzAZBgNV
BAMTEnVuaXR5LnJjLnVtYXNzLmVkdTAeFw0xOTA2MTcxNTA1NDZaFw0yOTA2MTQx
NTA1NDZaMB0xGzAZBgNVBAMTEnVuaXR5LnJjLnVtYXNzLmVkdTCCAaIwDQYJKoZI
hvcNAQEBBQADggGPADCCAYoCggGBAM8CVIwjoCJQfb5PxhvypiszKF7tcSmtuL0Q
yURuBCR8uJTVtZ24osySRLxLfcIWkcKJyVkcOUKOV2sjFyyzhtH7H1KcQicTr3Yd
nDZcpUl20zZCvExkIgr2UKMyzEJND/iDUXMIiAlsiW9A9ADCT1XGv0TApY78fAV3
IUBCp9RpWz+AQZzz6JumO+U4HuxWmrzLUAGq3H/bf1SqqQIcDsTOxHJGg0c8XzrK
MQi31pHw0ldNFUTtkSFwrzMVZs1ZmUILR6jo4ULraj4Tnj8geUQ8k0ylirk4VjZz
5/qlax2ghgFgU3VfZcpVWE63FkdOC9fmjAGDEpTrsYV2JLl4NMtVBPicMa0fwS/p
/XV6dXQaY3ANGdDLBe1deFaiI381erRf6sfE4aIrQJW9yiAQQffItLlK5yML5m2M
9POKt42/98ceR4nTOM9Vk9buJd7IKDxsO4WmBgMJT5XrAFsSFQcni39IVMhF2EZe
g3+21naqOaEuvvC1wgn6eXe2CDxL3wIDAQABo2cwZTBEBgNVHREEPTA7ghJ1bml0
eS5yYy51bWFzcy5lZHWGJWh0dHBzOi8vdW5pdHkucmMudW1hc3MuZWR1L3NoaWJi
b2xldGgwHQYDVR0OBBYEFCfb1RHoonWsDuhFVqpuEEak2zn3MA0GCSqGSIb3DQEB
CwUAA4IBgQACXJ861KERqmD8/nfKyB9VIBsMSiYZonQ0HPVvpZtD5EN6Z4OVEEsJ
qTcWXtUHsesZREmm4F7fNmSJmapzrYYgUnTdrkJWGFdb5OMSTh1ai5qYY4YyWeHl
GNQTH2ArI7RWvV06F6fz1UeK6Iw4c/B/0Z/HKm96iM8vI6TmCFyAsoMswn5aq4nX
A6o4zjyrZ6klLRbpto9ZsT2rkPX9Hr2cpW71qzCOinTf34+pdcWh3z5ZPpGSLVhz
sWstfe0qI6XY+JVTxRxb+9u+Y1oFxjki61vps+nz6BbKDtdkazeQuojCoA4WbS4L
qi+NfOr1Isj3px3Cd/qz/oBYhzQRu0xlF7tiNTCrUhmj/YD80r1B4XVNGvE+RB+Q
TJ5/cPKpnK1O2ofcJ0eth5yHl3OCUZGm9lo8IMyeOM1nCTIgCPwXUDwRMvNHhO1N
U4gUN/185I8Z2CDht+DGYLyB65veb8A+FQltTgj6dkMPei9HRs7hHyF5V5cRHOZI
dB/EAx++8ns=
</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
      <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes128-gcm"/>
      <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes192-gcm"/>
      <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes256-gcm"/>
      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc"/>
      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
      <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep"/>
      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
    </md:KeyDescriptor>
    <md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://unity.rc.umass.edu/Shibboleth.sso/Artifact/SOAP" index="1"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://unity.rc.umass.edu/Shibboleth.sso/SLO/SOAP"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://unity.rc.umass.edu/Shibboleth.sso/SLO/Redirect"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://unity.rc.umass.edu/Shibboleth.sso/SLO/POST"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://unity.rc.umass.edu/Shibboleth.sso/SLO/Artifact"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://unity.rc.umass.edu/Shibboleth.sso/SAML2/POST" index="1"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://unity.rc.umass.edu/Shibboleth.sso/SAML2/POST-SimpleSign" index="2"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://unity.rc.umass.edu/Shibboleth.sso/SAML2/Artifact" index="3"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://unity.rc.umass.edu/Shibboleth.sso/SAML2/ECP" index="4"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://unity.rc.umass.edu/Shibboleth.sso/SAML/POST" index="5"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="https://unity.rc.umass.edu/Shibboleth.sso/SAML/Artifact" index="6"/>
  </md:SPSSODescriptor>

</md:EntityDescriptor>

That is our SP's metadata. I was unable to directly import this because pan-os said "No IDP Descriptor node found". I'm trying to connect to an SP, not an IDP. Will this make a difference?

- Hakan

khans · ‎09-05-2020

Hi Hakan,

Yes, you can pass SAML attributes and define them accordingly in the authentication profile in the User Attributes in SAML Messages from IdP.

But it is not required, as we can also use NameID being sent in the SAML response from IdP.

Unlock your full community experience!

Piggyback off Shibboleth SP for GlobalProtect portal/gateway Authentication

Piggyback off Shibboleth SP for GlobalProtect portal/gateway Authentication

Show your appreciation!