SAML Authentication for GlobalProtect Portals on Non-Standard Ports
Focus
Focus
GlobalProtect

SAML Authentication for GlobalProtect Portals on Non-Standard Ports

Table of Contents

SAML Authentication for GlobalProtect Portals on Non-Standard Ports

SAML authentication when the GlobalProtect portal is externally accessible on a non-standard port (i.e., a port other than the default TCP/443)
Where Can I Use This?What Do I Need?
  • NGFW (managed by Panorama or Strata Cloud Manager)
  • GlobalProtect Subscription License
  • PAN-OS 11.2.9 or later versions
GlobalProtect provides support for SAML authentication when the portal is externally accessible on a non-standard port (i.e., a port other than the default TCP/443). This enables GlobalProtect to use SAML authentication on custom ports and provides more flexible deployment options in networks that require services to run on specific, non-standard ports.
As a best practice, configure your applications to use ports outside of well-known and registered ranges.
You must configure a custom port on the IdP for the GlobalProtect to support SAML authentication while accessing through a non-standard port. You should also configure the same custom port on the firewall as well. The firewall configuration and IdP settings must be synchronized. The port number you configure for the GlobalProtect portal on the firewall must be identical to the one you use in the (ACS) URL on the IdP.

Update Identity Provider (IdP) Configuration with Custom Port

  1. Log in to your Identity Provider's administrative dashboard.
  2. Modify the URL to include your portal's hostname (or IP address) and the custom, non-443 port number. The URL must use the following format:
    https://<portal-ip>:<saml-port>/SAML20/SP
    • <portal-hostname>: Replace with the FQDN of your GlobalProtect portal.
    • <custom-port>: Replace with the TCP port you configured for the portal.

Download Configuration from Identity Provider (IdP)

You must download the configurations from the IdP. Click the Download link next to Federation Metadata XML to download the SAML metadata file from the IdP to a client system from which you can upload the metadata to the firewall.

Import Configurations to Firewall

After you download the configuration from IdP, you must add a SAML IdP server profile and upload the configuration to the firewall.
  1. Select Device > Server Profiles > SAML Identity Provider.
  2. Enter a Profile Name to identify the server profile.
  3. Browse to the Identity Provider Metadata file and import the metadata file onto the firewall.
  4. Select Validate Identity Provider Certificate (default).
  5. Enter the Maximum Clock Skew, which is the allowed difference in seconds between the system times of the IdP and the firewall at the moment when the firewall validates IdP messages (default is 60; range is 1 to 900). If the difference exceeds this value, authentication fails.
  6. Click OK to save the server profile.

Configure the Custom Port on Firewall

Configure the same custom SAML port on the firewall which you set on the IdP using the CLI command set global-protect saml-custom-port <1-65535>. Otherwise, GlobalProtect will use the default port 443.
The custom TCP port configured for the GlobalProtect portal on the firewall must exactly match the port used in the SAML settings of your Identity Provider.
CLI CommandDescription
set global-protect saml-custom-port <1-65535>Configures the custom port on the firewall. This must be the same port that you have set on the IdP.
show gp-broker panos-configTo verify that the custom port is set in gp-broker, you can check for the key ‘saml_custom_port’ in panos-config.

Configure NAT Translations Rule

You must configure the NAT translation rules on the firewall to translate the destination port to 443.
  1. On the firewall, click Policies > NAT and add a new service with the custom port to include it in the NAT rule.
  2. Create a new service with the custom port to include in the NAT rule.
  3. On the Translated Packet tab, select the GlobalProtect portal IP in Translated Address and enter 443 in Translated Port.

Configure Security Policy

You must configure a security policy rule for the traffic. For more information, see Create a Security Policy Rule.