SAML Authentication for GlobalProtect Portals on Non-Standard Ports
SAML authentication when the GlobalProtect portal is externally accessible on a
non-standard port (i.e., a port other than the default TCP/443)
Where Can I Use This?
What Do I Need?
NGFW (managed by Panorama or Strata Cloud Manager)
GlobalProtect Subscription License
PAN-OS 11.2.9 or later versions
GlobalProtect provides support for SAML authentication when the portal is
externally accessible on a non-standard port (i.e., a port other than the default
TCP/443). This enables GlobalProtect to use SAML authentication on custom ports and
provides more flexible deployment options in networks that require services to run on
specific, non-standard ports.
As a best practice, configure
your applications to use ports outside of well-known and registered
ranges.
You must configure a custom port on the IdP for the GlobalProtect to support
SAML authentication while accessing through a non-standard port. You should also
configure the same custom port on the firewall as well. The firewall configuration and
IdP settings must be synchronized. The port number you configure for the GlobalProtect
portal on the firewall must be identical to the one you use in the (ACS) URL on the
IdP.
Update Identity Provider (IdP) Configuration with Custom Port
Log in to your Identity Provider's administrative dashboard.
Modify the URL to include your portal's hostname (or IP address) and the custom,
non-443 port number. The URL must use the following format:
https://<portal-ip>:<saml-port>/SAML20/SP
<portal-hostname>: Replace with the FQDN of your
GlobalProtect portal.
<custom-port>: Replace with the TCP port you
configured for the portal.
Download Configuration from Identity Provider (IdP)
You must download the configurations from the IdP. Click the Download link
next to Federation Metadata XML to download the SAML metadata
file from the IdP to a client system from which you can upload the metadata to the
firewall.
Import Configurations to Firewall
After you download the configuration from IdP, you must add a SAML IdP server profile and upload
the configuration to the firewall.
Select Device > Server Profiles > SAML Identity Provider.
Enter a Profile Name to identify the server profile.
Browse to the Identity Provider Metadata file and import the metadata file
onto the firewall.
Enter the Maximum Clock Skew, which is the allowed difference in seconds
between the system times of the IdP and the firewall at the moment when the
firewall validates IdP messages (default is 60; range is 1 to 900). If the
difference exceeds this value, authentication fails.
Click OK to save the server profile.
Configure the Custom Port on Firewall
Configure the same custom SAML port on the firewall which you set on the
IdP using the CLI command set global-protect saml-custom-port
<1-65535>. Otherwise, GlobalProtect will use the default port 443.
The custom TCP port configured for the GlobalProtect portal on the firewall
must exactly match the port used in the SAML settings of your Identity
Provider.
CLI Command
Description
set global-protect saml-custom-port <1-65535>
Configures the custom port on the firewall. This must be the
same port that you have set on the IdP.
show gp-broker panos-config
To verify that the custom port is set in gp-broker, you can
check for the key ‘saml_custom_port’ in panos-config.
Configure NAT Translations Rule
You must configure the NAT translation rules on the firewall to
translate the destination port to 443.
On the firewall, click Policies > NAT and add a new service with the custom port to include it in
the NAT rule.
Create a new service with the custom port to include in the NAT rule.
On the Translated Packet tab, select the GlobalProtect portal IP in
Translated Address and enter 443 in Translated Port.
