SAML Testing

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

Reply
jeff6strings
L2 Linker

SAML Testing

We have SAML for GlobalProtect setup and working on our test PA firewall and cannot be used for production.
Our goal is to configure our production firewalls to use SAML for GlobalProtect and limit specific AD groups for testing until we make SAML global. I know SAML can't be used in an Authentication Sequence, and adding a Client Authentication config in the GP Portal Authentication>Client Authentication list won't help. Having read other posts, this list is not a failover, and the only criteria are OS.

 

Our current GP VPN configuration is the following:
Firewall 1 (v8.1): Portal, which the domain name points to and is a Gateway, and all three firewalls (this and the two below) are in the External Gateway configuration.
Firewall 2 (v8.1): Portal configuration but used as secondary & Gateway, and all three firewalls (this and the one above and below) are in the External Gateway configuration.
Firewall 3 (v9.0): Gateway only and included in the External Gateway configuration in the two portals above.

 

I was thinking of configuring on Firewall 1 Portal, making the first two firewalls available to the existing GP AD group. Then, creating an Agent Configuration pointing to the AD SAML group and making Firewall 3 the SAML authentication firewall with only this firewall in this Agent Config. My obstacle is the GP Portal Config Authentication and the limitation of the Client Authentication list.

 

I appreciate any feedback, recommendations, or thoughts.

Jeff

 

Passionate about network infrastructure and all things Palo Alto Networks.

Accepted Solutions
sakhan
L2 Linker

Yes, you can use SAML on the firewall 3 gateway, But in this scenario Portal will have a different authentication method then gateway, so the user might be prompted twice to authenticate.

Best would be to have both Portal and gateway to use the same SAML authentication profile, so the user is only prompted once to authenticate to the IdP and GP client then just pass the auth to the gateway. 

SAML response from the IdP will have Name ID and/or SAML Attributes for usernames that can be used to limit users via allow list in the authentication profile. 

I would also recommend looking into the new GP client 5.2, as it has an additional feature for SAML "Use Default Browser for SAML Authentication". This will allow the GP client to use the default user browser, so users don't have to input credentials, as the default browser can save them. 

Here is a good KB for troubleshooting SAML issues: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVvCAK

Hope that helps! 

View solution in original post


All Replies
sakhan
L2 Linker

Yes, you can use SAML on the firewall 3 gateway, But in this scenario Portal will have a different authentication method then gateway, so the user might be prompted twice to authenticate.

Best would be to have both Portal and gateway to use the same SAML authentication profile, so the user is only prompted once to authenticate to the IdP and GP client then just pass the auth to the gateway. 

SAML response from the IdP will have Name ID and/or SAML Attributes for usernames that can be used to limit users via allow list in the authentication profile. 

I would also recommend looking into the new GP client 5.2, as it has an additional feature for SAML "Use Default Browser for SAML Authentication". This will allow the GP client to use the default user browser, so users don't have to input credentials, as the default browser can save them. 

Here is a good KB for troubleshooting SAML issues: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVvCAK

Hope that helps! 

View solution in original post

jeff6strings
L2 Linker

Having the Portal and the Gateway on two separate types of authentication was a concern. I wanted to avoid having SAML users point to another Portal but it seems in order to limit testing to specific AD groups, this may be the only way.

Thank you.

 

Jeff

Passionate about network infrastructure and all things Palo Alto Networks.
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!