I am trying to a set up an implementation of pre-logon, then SAML w/ Client Certificates. Utilizing a machine certificate I can configure how I want with no issues, but using only a client (user) certificate, pre-logon doesn't work, which is expected since the certificate is not in the computer's personal store, but the user's. In order to combat this, I've attempted to set up the following: Portal agents: Pre-logon pre-logon group Accept auth cookies LoggedOn any group Generate auth cookies Authentication Profile: SAML Certificate profile: InternalCAProf Gateway clients: Pre-logon pre-logon group Accept auth cookies LoggedOn any group Generate auth cookies Authentication Profile: SAML Certificate profile: InternalCAProf As shown, I want the user to authenticate with the portal/gateway the first time utilizing SAML, a cookie should be generated, then the cookie should be accepted for pre-logon only. PAN OS 10.2.0 (Lab environment here) Does anyone know if this implementation is possible?
... View more