Setting up SAML authentication for GlobalProtect users involves creating a server
profile, importing the SAML metadata file from the identity provider, and configuring the
authentication profile. GlobalProtect supports Remote Access VPN with Pre-Logon with SAML
authentication beginning with GlobalProtect app 5.0.
Security Assertion Markup Language (SAML)
is an XML-based, open-standard data format used to exchange authentication
and authorization data between parties, specifically between an
identity provider (IdP) and a service provider. SAML is a product
of the OASIS Security Services Technical Committee.
a server profile.
The server profile identifies the external authentication
service and instructs the firewall on how to connect to that authentication
service and access the authentication credentials for your users.
The following steps describe how you can import a SAML
metadata file from the IdP so that the firewall can automatically
create a server profile and populate the connection, registration,
and IdP certificate information. If the IdP does not provide a metadata
SAML Identity Provider
a server profile manually.
Export the SAML metadata file from the IdP
to an endpoint that the firewall can access.
Refer to your IdP documentation for instructions on how
to export the file.
SAML Identity Provider
the metadata file onto
the server profile, such as
for the metadata file.
Validate Identity Provider Certificate
so that the firewall validates the IdP certificate.
Validation occurs only after you assign the server profile
to an authentication profile and
changes. The firewall uses the certificate profile within the authentication
profile to validate the certificate.
Maximum Clock Skew
which is the allowed system time difference (in seconds) between
the IdP and the firewall when the firewall validates IdP messages.
The default value is 60 seconds, and the range is 1 to 900 seconds.If
the difference exceeds this value, authentication fails.
to save the server
) Create an authentication profile.
The authentication profile specifies the server profile
that the portal or gateways use when they authenticate users. On
a portal or gateway, you can assign one or more authentication profiles
to one or more client authentication profiles. For more information
on how an authentication profile within a client authentication
profile supports granular user authentication, see Configure
a GlobalProtect Gateway and Set
Up Access to the GlobalProtect Portal.