- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Hello friends! Help me please.
I need advice on authentication and authorization when connecting to a GP.
Is it possible to separate these roles?
For example: authenticate using SAML.
And then check this user for belonging to groups in LDAP, and depending on these groups, send him to the gateway / send him settings / apply policies.
In general, authenticate via SAML, and authorize via LDAP.
There were no such cases in the documentation.
Hi @nickalecks ,
Yes, that is actually how GlobalProtect really works.
- For both GP portal and gateway you first authenticate the user, which is defined under Authentication Tab
Here you specify what Authentication profile (authentication method) should GP apply when users are trying to connect. Here you can have different authentication methods based on client OS.
- Once the user is authenticated you can use the Group Mapping (which is retrieved over LDAP) to apply different portal or gateway configuration. This is done under Agent tab (again for both portal and gateway)
Here you can specify user group that FW is retrieving from the configured Group Mapping and have different configuration profiles based on user/user group and/or client OS.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!