Separation of profiles for authorization and authentication in GlobalProtect

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Separation of profiles for authorization and authentication in GlobalProtect

L0 Member

Hello friends! Help me please.
I need advice on authentication and authorization when connecting to a GP.
Is it possible to separate these roles?

For example: authenticate using SAML.
And then check this user for belonging to groups in LDAP, and depending on these groups, send him to the gateway / send him settings / apply policies.

In general, authenticate via SAML, and authorize via LDAP.

There were no such cases in the documentation.


Hi @nickalecks ,

Yes, that is actually how GlobalProtect really works.

- For both GP portal and gateway you first authenticate the user, which is defined under Authentication Tab


Here you specify what Authentication profile (authentication method) should GP apply when users are trying to connect. Here you can have different authentication methods based on client OS.

- Once the user is authenticated you can use the Group Mapping (which is retrieved over LDAP) to apply different portal or gateway configuration. This is done under Agent tab (again for both portal and gateway)


Here you can specify user group that FW is retrieving from the configured Group Mapping and have different configuration profiles based on user/user group and/or client OS.



  • 1 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!