Enter a name to identify the profile. The name is case-sensitive, can have up to 31 characters, and can include only letters, numbers, spaces, hyphens, underscores, and periods. The name must be unique in the current Location (firewall or virtual system) relative to other authentication profiles and to authentication sequences.

Select the scope in which the profile is available. In the context of a firewall that has more than one virtual system (vsys), select a vsys or select Shared (all virtual systems). In any other context, you can’t select the Location; its value is predefined as Shared (firewalls) or as Panorama. After you save the profile, you can’t change its Location.

Select the type of service that provides the first (and optionally the only) authentication challenge that users see. Based on your selection, the dialog displays other settings that you define for the service. The options are:

Select the authentication server profile from the drop-down. See Device > Server Profiles > RADIUS, Device > Server Profiles > TACACS+, Device > Server Profiles > LDAP, or Device > Server Profiles > Kerberos.

Select the SAML Identity Provider server profile from the drop-down. See Device > Server Profiles > SAML Identity Provider.

Select this option to collect user group information from Vendor-Specific Attributes (VSAs) defined on the RADIUS server. The firewall uses the information to match authenticating users against Allow List entries, not for enforcing policies or generating reports.

Select this option to collect user group information from Vendor-Specific Attributes (VSAs) defined on the TACACS+ server. The firewall uses the information to match authenticating users against Allow List entries, not for enforcing policies or generating reports.

Enter an LDAP directory attribute that uniquely identifies the user and functions as the login ID for that user.

If the authentication profile is for GlobalProtect users, enter the number of days before password expiration to start displaying notification messages to users to alert them that their passwords are expiring in x number of days. By default, notification messages will display seven days before password expiry (range is 1 to 255). Users will not be able to access the VPN if their passwords expire.

If users allow their passwords to expire, the administrator can assign a temporary LDAP password to enable users to log in to the VPN. In this workflow, we recommend setting the Authentication Modifier in the portal configuration to Cookie authentication for config refresh (otherwise, the temporary password will be used to authenticate to the portal, but the gateway login will fail, preventing VPN access).

Select the certificate that the firewall will use to sign SAML messages that it sends to the identity provider (IdP). This field is required if you enable the Sign SAML Message to IdP option in the IdP Server Profile (see Device > Server Profiles > SAML Identity Provider). Otherwise, selecting a certificate to sign SAML messages is optional.

When generating or importing a certificate and its associated private key, the key usage attributes specified in the certificate control how you can use the key:

Select this option to enable users to log out of every authenticated service by logging out of any single service. Single logout (SLO) applies only to services that users accessed through SAML authentication. The services can be external to your organization or internal (such as the firewall web interface). This option applies only if you entered an Identity Provider SLO URL in the IdP Server Profile. You cannot enable SLO for Authentication Portal users.

Select the Certificate Profile that the firewall will use to validate:

See Device > Certificate Management > Certificate Profile.

The firewall uses the User Domain for matching authenticating users against Allow List entries and for User-ID group mapping .

You can specify a Username Modifier to modify the format of the domain and username that a user enters during login. The firewall uses the modified string for authentication. Select from the following options:

If your network supports Kerberos single sign-on (SSO), enter the Kerberos Realm (up to 127 characters). This is the hostname portion of the user login name. For example, the user account name user@EXAMPLE.LOCAL has realm EXAMPLE.LOCAL.

If your network supports Kerberos single sign-on (SSO) , click Import, click Browse to locate the keytab file, and then click OK. A keytab contains Kerberos account information (principal name and hashed password) for the firewall, which is required for SSO authentication. Each authentication profile can have one keytab. During authentication, the firewall first tries to use the keytab to establish SSO. If it succeeds and the user attempting access is in the Allow List, authentication succeeds immediately. Otherwise, the authentication process falls back to manual authentication (username/password) of the specified Type, which doesn’t have to be Kerberos.

Enter the SAML attribute that identifies the username of an authenticating user in messages from the IdP (default is username). If the IdP Server Profile contains metadata that specifies a username attribute, the firewall automatically populates this field with that attribute. The firewall matches usernames retrieved from SAML messages with users and user groups in the Allow List of the authentication profile. Because you cannot configure the firewall to modify the domain/username string that a user enters during SAML logins, the login username must exactly match an Allow List entry. This is the only SAML attribute that is mandatory.

Enter the SAML attribute that identifies the user group of an authenticating user in messages from the IdP (default is usergroup). If the IdP Server Profile contains metadata that specifies a user group attribute, the field automatically uses that attribute. The firewall uses the group information to match authenticating users against Allow List entries, not for policies or reports.

Enter the SAML attribute that identifies the administrator role of an authenticating user in messages from the IdP (default is admin-role). This attribute applies only to firewall administrators, not to end users. If the IdP Server Profile contains metadata that specifies an admin-role attribute, the firewall automatically populates this field with that attribute. The firewall matches its predefined (dynamic) roles or Admin Role profiles with the roles retrieved from SAML messages to enforce role-based access control. If a SAML message has multiple admin-role values for an administrator with only one role, matching applies only to the first (left-most) value in the admin-role attribute. For an administrator with more than one role, the matching can apply to multiple values in the attribute.

Enter the SAML attribute that identifies the access domain of an authenticating user in messages from the IdP (default is access-domain). This attribute applies only to firewall administrators, not to end users. If the IdP Server Profile contains metadata that specifies an access-domain attribute, the firewall automatically populates this field with that attribute. The firewall matches its locally configured access domains with those retrieved from SAML messages to enforce access control. If a SAML message has multiple access-domain values for an administrator with only one access domain, matching applies only to the first (left-most) value in the access-domain attribute. For an administrator with more than one access domain, the matching can apply to multiple values in the attribute.

Select the regional endpoint for your Cloud Identity Engine instance.

If you have more than one instance, select the Cloud Identity Engine instance you want to use.

If you have more than one Cloud Identity Engine identity provider profile (IdP profile), select the Cloud Identity Engine IdP profile you want to use.

Enter the maximum acceptable time difference in seconds between the IdP and firewall system times at the moment when the firewall validates a message that it receives from the IdP (range is 1 to 900; default is 60). If the time difference exceeds this value, the validation (and thus authentication) fails.

Enable force multi-factor authentication in cloud if your IdP is configured to require users to log in using multi-factor authentication.

Select this option if you want the firewall to invoke additional authentication factors (challenges) after users successfully respond to the first factor (specified in the Type field on the Authentication tab).

After configuring an authentication profile that uses multi-factor authentication (MFA), you must assign it to an authentication enforcement object (Objects>Authentication) and assign the object to the Authentication policy rules (Policies>Authentication) that control access to your network resources.

Add an MFA server profile (Device>ServerProfiles> Multi Factor Authentication) for each authentication factor that the firewall will invoke after users successfully respond to the first factor (specified in the Type field on the Authentication tab). The firewall invokes each factor in the top-to-bottom order that you list the MFA services that provide the factors. To change the order, select a server profile and Move Up or Move Down. You can specify up to three additional factors. Each MFA service provides one factor. Some MFA services let users choose one factor from a list of several. The firewall integrates with these MFA services through vendor APIs. Additional MFA vendor API integrations are added periodically through Applications or Applications and Threats content updates.

Click Add and select all or select the specific users and groups that can authenticate with this profile. When a user authenticates, the firewall matches the associated username or group against the entries in this list. If you don’t add entries, no users can authenticate.

Enter the number of failed successive login attempts (0 to 10) that the firewall allows before locking out the user account. A value of 0 specifies unlimited login attempts. The default value is 0 for firewalls in normal operational mode and 10 for firewalls in FIPS-CC mode.