SAML 2.0 Authentication for GlobalProtect

GlobalProtect portals, gateways, and clients now support SAML 2.0 Authentication . If you have chosen SAML as your authentication standard, GlobalProtect portals and gateways can act as a Security Assertion Markup Language (SAML) 2.0 service provider and GlobalProtect clients can authenticate users directly to the SAML identity provider. You can configure SAML authentication for user authentication to GlobalProtect gateways or to the GlobalProtect portal, or both.
  1. Configure SAML 2.0 Authentication on the PAN-OS firewall that hosts the portal or gateway.
    • Create a server profile with settings for access to the SAML 2.0 authentication service.
    • Create an authentication profile that refers to the SAML server profile.
  2. (Optional) Configure a GlobalProtect gateway.
    1. Specify SAML authentication for gateway users:
      • Select Authentication Profile and add the SAML authentication profile you created in step 1 . This profile is used to authenticate an endpoint seeking access to the gateway.
        For iOS clients, SAML authentication is only supported when the Connect Method is configured for On-demand (Manual user initiated connection).
      • Enter an Authentication Message to help end users understand which credentials to use when logging in. The message can be up to 100 characters in length (default is Enter login credentials).
    2. (Optional) Select a Certificate Profile to use for client authentication to the gateway. For the certificate profile you select, make sure the Username Field in the certificate profile is set to None.
      saml-cert-profile.png
  3. (Optional) Define the GlobalProtect Client Authentication Configurations on the GlobalProtect portal.
    1. Specify SAML authentication for the client:
      • Select Authentication Profile and add a SAML authentication profile. You can use the same profile you created in step 1 or create a new SAML profile for the portal. This profile is used to authenticate an endpoint seeking access to the portal.
      • Enter an Authentication Message to help end users understand which credentials to use when logging in. The message can be up to 100 characters in length (default is Enter login credentials).
    2. (Optional) Select a Certificate Profile to use for client authentication to the portal. For the certificate profile you select, make sure the Username Field in the certificate profile is set to None.
      saml-cert-profile.png

Related Documentation