Azure SAML authentication from Prisma Access to Branch gateway

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Azure SAML authentication from Prisma Access to Branch gateway

L1 Bithead

I would like to set up Azure SAML on Prisma Access and a branch firewall that has its own Globalprotect portal. The Prisma access portion has been configured already and tested to be working properly with Azure. My set up is as follows:

 

Prisma Access GP Portal
(Authentication configured on portal and gateway is Azure SAML)

abc.domain.com

 

Branch GP Portal

(Authentication configured on portal and gateway is LDAP)

xyz.domains.com


In the configuration on Prisma, I already have it configured to point to the Branch gateway as one of the options in the Prisma Portal gateway selection dropdown menu. The branch portal is not used that often directly where users just use the Prisma GP portal URL and from there jump to the gateway of the branch.

The question is since I already have the MFA configured with a certificate on Prisma using the Prisma GP URL abc.domain.com, do I still need to create a separate certificate for the branch firewalls ? Does the difference in the Azure SAML configuration where Prisma uses a different URL and certificate than what is on the branch cause an issue for users jumping from Prisma portal to branch gateway. In other words, would it for example ask them to authenticate twice or the cached authentication information on Prisma portal login will be forwarded to branch gateway if it was selected.

 

 

 

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

the signon URL is used for the portal bit, you can only have 1 in the enterprise app and this is going to be your prisma access portal URL.

To have a similar SAML profile for the portal on your branch, you'll need a new enterprise application on azure for the other portal (which, if having prisma access neing your main portal, not necessary and you can basically remove the portal config from the branch)

 

 

dont forget to like and subscribe !

and mark as a solution and all that stuff :]

 

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

3 REPLIES 3

Cyber Elite
Cyber Elite

Not sure what the certificate is for you're referring to (hostname, client cert, authentication cert,..?)

 

if you set up your branch gateway with a tls profile containing a valid public server certificate (so the hostname can be resolved without any certificate issues), you can add the additional gateway to your prisma access configuration.

Next, you can add your gateway FQDN to the azure globalprotect enterprise application in the Single Sign-On > Basic SAML Configuration as an identifier and reply URL

once that's done, you should be able to connect to the gateway using your prisma access portal config

 

if you were referring to the certificate as a client certificate: the gateway dictates the authentication requirements, so if you're using a client certificate in prisma access, but don't want to on the branch gateway, you can by setting the auth properties accordingly

 

 

hope this helps

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

That was very helpful, thank you! And in the Azure SAML configuration for the Globalprotect, besides adding the branch gateway as a new identifier as well as the branch Reply URL, do I need to also add the branch own Sign on URL as well or no need for that. The objective is basically to have any remote VPN user to be able to connect to the the branch from within the Prisma Access portal (by jumping to the gateway from dropdown menu) or just through the branch portal and still be using the same SAML authentication through Azure. 

Cyber Elite
Cyber Elite

the signon URL is used for the portal bit, you can only have 1 in the enterprise app and this is going to be your prisma access portal URL.

To have a similar SAML profile for the portal on your branch, you'll need a new enterprise application on azure for the other portal (which, if having prisma access neing your main portal, not necessary and you can basically remove the portal config from the branch)

 

 

dont forget to like and subscribe !

and mark as a solution and all that stuff :]

 

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 1 accepted solution
  • 1703 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!