GlobalProtect Mobile Users

Install the device certificate on the Panorama that manages Prisma Access.

You must generate a one-time password (OTP) and retrieve the device certificate to successfully authenticate Panorama with the Cloud Identity Engine.

Log into the Customer Support Portal to generate the One Time Password (OTP).

Select

Assets

Device Certificates

and

Generate OTP

.

For the

Device Type

, select

Generate OTP for Panorama

and

Generate OTP

.

Select the

Panorama Device

serial number.

Generate OTP and copy the OTP.

and copy the OTP.

From the Panorama that manages Prisma Access, select

Panorama

Setup

Management

Device Certificate Settings

and

Get certificate

.



When you have successfully installed the certificate, the

Current Device Certificate Status

(

Panorama

Setup

Management

Device Certificate

) displays as

Valid

.



Activate the Cloud Identity Engine if you have not yet done so to create your first instance.

Log in to the hub.

You can view apps by tenant or by support account.

Activate

the Cloud Identity Engine.

You can view apps by tenant or by support account.

If the Activate button is not available, ensure that your role has the necessary privileges.



Enter the information for your Cloud Identity Engine instance.



Select the
Company Account
for the instance.
Specify a
Name
to identify the instance.
(
Optional
) Enter a
Description
to provide more information about the Cloud Identity Engine instance (for example, details about the instance’s purpose).
Select a
Region
.
Make a note of the region you selected; you use that region when you activate the Cloud Identity Engine in a later step.
Agree to the
EULA
.

Agree & Activate

the instance.

On the Activation Details page, select the hub in the upper left.



The

Cloud Identity Engine

displays.



(

Optional

) If you require a separate instance for Explicit Proxy, configure a Cloud Identity Engine Instance.

If you want to isolate your Explicit Proxy directory data, or allow different Palo Alto Networks cloud applications and services to access different sets of directory data, you can create a Cloud Identity Engine instance specifically for Explicit Proxy.

When you select a

Region

, select the same region you used when you activated the Cloud Identity Engine.

From the Cloud Identity Engine app, configure a SAML IdP in the Cloud Identity Engine.

The Cloud Identity Engine Getting Started guide has the procedures you need to configure a SAML IdP in the Cloud Identity Engine:

Configure Azure as an IdP in the Cloud Identity Engine
Configure Okta as an IdP in the Cloud Identity Engine
Configure PingOne as an IdP in the Cloud Identity Engine
Configure PingFederate as an IdP in the Cloud Identity Engine
Configure Google as an IdP in the Cloud Identity Engine

Use the following values in the when configuring Explicit Proxy authentication in your IdP:

Single sign on URL:
global.acs.prismaaccess.com
SAML Assertion Consumer Service URL:
https://global.acs.prismaaccess.com/saml/acs
Entity ID URL:
https://global.acs.prismaaccess.com/saml/metadata

Configure an authentication profile to use with the Cloud Authentication Service.

Be sure that you are in the

Mobile_User_Template

. By setting up an authentication profile in Panorama, you can redirect GlobalProtect mobile users to the IdP you configure for authentication.

Change the pre-deployed settings on mobile users’ Windows, macOS, Linux, Android, and iOS endpoints to use the default system browser for SAML authentication.

You must set the pre-deployed settings on the client endpoints before you can enable the default system browser for SAML authentication. GlobalProtect retrieves these entries only once, when the GlobalProtect app initializes.

If there is no pre-deployed value specified on the end users’ Windows or macOS endpoints when using the default system browser for SAML authentication, the

Use Default Browser for SAML Authentication

option is set to

Yes

in the portal configuration, and users upgrade the app from release 5.0.x or release 5.1.x to release 5.2.0 for the first time, the app will open an embedded browser instead of the default system browser. After users connect to the GlobalProtect app and the

Use Default Browser for SAML Authentication

option is set to

Yes

in the portal configuration, the app will open the default system browser on Windows and macOS endpoints at the next login.

If the

default browser

value is set to

Yes

in the pre-deployed setting of the client machine and the

Use Default Browser for SAML Authentication

option is set to

No

in the portal configuration, end users will not have the best user experience. The app will open the default system browser for SAML authentication for the first time. Because the default browser values differ between the client machine and the portal, the app detects a mismatch and opens an embedded browser at the next login.

The

Use Default Browser for SAML Authentication

option of the GlobalProtect portal and the pre-deployed settings in the client machine must have the same value to provide the best user experience.

On Windows endpoints, you can use the System Center Configuration Manager (SCCM) to pre-deploy the GlobalProtect app 5.2 and set the
DEFAULTBROWSER
value to
yes
from the Windows Installer (Msiexec) using the following syntax:
msiexec.exe /i GlobalProtect.msi DEFAULTBROWSER=YES
On macOS endpoints, set the
default-browser
value to
yes
in the macOS plist (
/Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist
) for the GlobalProtect app using the following syntax:
sudo defaults write /Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist ’{"Palo Alto Networks" ={GlobalProtect={Settings={default-browser=yes;};};};}’
You must specify the plist key to launch the default system browser for SAML authentication after GlobalProtect app 5.2 is installed.
After you add the plist key, you must restart the GlobalProtect app in order for the plist key to take effect. After you restart the GlobalProtect app, the default system browser for SAML authentication launches. To restart the GlobalProtect app:
Launch the Finder.

Open the Applications folder by selecting

Applications

from the Finder sidebar.

If you do not see

Applications

in the Finder sidebar, select

Go

Applications

from the Finder menu bar.

Open the Utilities folder.

Launch Terminal.

Execute the following commands:

username>$ launchctl unload -S Aqua /Library/LaunchAgents/com.paloaltonetworks.gp.pangpa.plist       
username>$ launchctl unload -S Aqua /Library/LaunchAgents/com.paloaltonetworks.gp.pangps.plist
username>$ launchctl load -S Aqua /Library/LaunchAgents/com.paloaltonetworks.gp.pangpa.plist
username>$ launchctl load -S Aqua /Library/LaunchAgents/com.paloaltonetworks.gp.pangps.plist
On Linux endpoints, set the
default-browser
value to
yes
in the
/opt/paloaltonetworks/globalprotect/pangps.xml
pre-deployment configuration file under
<Settings>
. After you add the
default-browser
value, follow the pre-deployment instructionsbefore you reboot the Linux endpoint in order for the change to take effect.
On Android and iOS endpoints, create a VPN profile by using the supported mobile device management system (MDM) such as Airwatch.
Log in to Airwatch as an administrator.
Select an existing VPN profile (
Devices
Profiles & Resources
Profiles
) in the list.
Select
VPN
to add a VPN profile.
On Android endpoints, enter the
Custom Data Key
(
use_default_browser_for_saml
). Enter the
Custom Data Value
(
true
).
On iOS endpoints, enter the
Custom Data Key
(
saml-use-default-browser
). Enter the
Custom Data Value
(
true
).

Click
Save and Publish
to save your changes.

Configure the Prisma Access portal to use Cloud Identity Engine authentication.

In the

Mobile_User_Template

, select

Network

GlobalProtect

Portals

GlobalProtect_Portal

Authentication

.

Select the

Default

GlobalProtect portal configuration.



Select the

Authentication Profile

you created for Cloud Identity Engine authentication and click

OK

.



Select

Agent

, then select the

Default

agent.



(

Optional

) If you have on-premises GlobalProtect gateways and want the Prisma Access gateway to generate a cookie to override authentication for on-premises gateways, select

Generate cookie for authentication override

.

(

Optional

) If you want Prisma Access to accept cookies from on-premises gateways that allows them to override authentication for Prisma Access, select

Accept cookie for authentication override

.

Click

OK

.



In the

App

settings, make sure that

Use Default Browser for SAML Authentication

is set to

Yes

.

Selecting this portal setting ensures that mobile users can leverage the same login for GlobalProtect with their saved user credentials on the default system browser such as Chrome, Firefox, or Safari.

Click

OK

.



Configure the Prisma Access gateway to use Cloud Identity Engine authentication.

In the

Mobile_User_Template

, select

Network

GlobalProtect

Gateways

GlobalProtect_External_Gateway

.

Select

Authentication

.

Select the

Default

authentication profile.



Select the

Authentication Profile

you created for Cloud Identity Engine authentication and click

OK

.



Select

Agent

Client Settings

, then select the

Default

configuration.



(

Optional

) Select

Generate cookie for authentication override

and

Accept cookie for authentication override

.

When you use the Cloud Identity Engine for authentication, Palo Alto Networks recommends that you allow authentication cookie overrides on gateways, since you have already configured authentication on the portal. If you do not configure cookie overrides on the gateway, two authentication pages display on the mobile user’s default browser when they log in to a gateway—one page for portal authentication and one page for gateway authentication.

Click

OK

.



Complete the Cloud Identity Engine configuration in Panorama.

Select
Panorama
Setup
Management
and
Edit
the
Authentication Settings
, then select the
Authentication Profile
you created in Step 5.
Select
Panorama
Device Groups
and
Add
or
Edit
a device group.
Select the
Cloud Identity Engine
and
Add
the Cloud Identity Engine instance you want to associate with Panorama; then, click
OK
.

Commit and Push

your changes.

Verify that the Cloud Identity Engine is successfully authenticating your mobile users.

On a mobile user endpoint, open the GlobalProtect app (minimum GlobalProtect version of 6.0 required).

If prompted,

Get Started

.



Enter the

Portal

URL in the app and

Connect

to it.



When you are challenged for authentication, verify that you are redirected to the SAML IdP and are presented with a login page.

After you successfully authenticate to the SAML IdP, it redirects you to Prisma Access. Prisma Access then validates the SAML responses from the SAML IdP and the mobile user is able to log in to the GlobalProtect portal.

Enter your credentials to log in.



After you have successfully logged in,

Open GlobalProtect

in the browser or, if you are provided with a URL,

Click Here

to open the GlobalProtect app.



If your system browser prompts you to allow opening GlobalProtect in the browser,

Allow

it.



Verify that you receive a banner from the GlobalProtect app, indicating that you are

Connected

to GlobalProtect and showing the GlobalProtect

Portal

and

Gateway

.



(

Optional

) To see more information about the GlobalProtect connection, select

Settings

from the GlobalProtect app.

From this area, you can see the user that is logged in, view connection statistics and notifications, and download GlobalProtect logs for

Troubleshooting

.